Limiting the Number of User Login Attempts for SSH and Telnet Sessions

Beginning with JUNOS Release 8.0, you can limit the number of times a user can attempt to enter a password while logging in through SSH or Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. You can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In addition, you can specify the threshold for the number of failed attempts before the user experiences a delay in being able to enter a password again.

To specify the number of times a user can attempt to enter a password while logging in, include the retry-options statement at the [edit system login] hierarchy level:

You can configure the following options.

• tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default is 10.
• backoff-threshold—Threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range is from 1 through 3, and the default is 2.
• backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default is 5 seconds.
• minimum-time—Minimum length of time, in seconds, that a connection remains open while a user is attempting to enter a correct password. The range is from 20 through 60, and the default is 40.

Related Topics

• Configuring JUNOS Software User Accounts