Details
The number of retries before the SSH login session disconnects.
Rationale:
This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt. This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.
Impact:
Organizations should implement a security policy limiting the number of authentication attempts for network administrators and enforce the policy through the ‘ip ssh authentication-retries’ command.
Solution
Configure the SSH timeout:
hostname(config)#ip ssh authentication-retries [3]
Default Value:
SSH is not enabled by default. When set, the default value is 3.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.