Configuring Password Retry Limits for Telnet and SSH Access
To prevent brute force and dictionary attacks, the services
router performs the following actions for Telnet or SSH sessions by
Disconnects a session after a maximum of 10 consecutive
After the second password retry, introduces a delay in
multiples of 5 seconds between subsequent password retries.
For example, the services router introduces a delay of 5 seconds
between the third and fourth password retry, a delay of 10 seconds
between the fourth and fifth password retry, and so on.
Enforces a minimum session time of 20 seconds during which
a session cannot be disconnected. Configuring the minimum session
time prevents malicious users from disconnecting sessions before the
password retry delay goes into effect, and attempting brute force
and dictionary attacks with multiple logins.
You can configure the password retry limits for Telnet and SSH
access. In this example, you configure the services router to take
the following actions for Telnet and SSH sessions:
Allow a maximum of 4 consecutive password retries before
disconnecting a session.
Introduce a delay in multiples of 5 seconds between password
retries that occur after the second password retry.
Enforce a minimum session time of 40 seconds during which
a session cannot be disconnected.
To configure password retry limits for Telnet and SSH access:
Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 22.
If you are finished configuring the network, commit
Table 22: Configuring
Password Retry Limits for Telnet and SSH Access
J-Web Configuration Editor
CLI Configuration Editor
Navigate to the Retry options level in
the configuration hierarchy.
In the J-Web interface, select CLI
Tools>Point and Click CLI.
Next to System, click Edit.
Next to Login, click Configure or Edit.
Next to Retry options, click Configure or Edit.
From the  hierarchy level, enter
edit system login retry-options
Configure password retry limits for Telnet and SSH access.
Tries—Maximum number of consecutive password retries
before a SSH or Telnet sessions is disconnected. The default number
is 10, but you can set a number between 1 and 10.
Backoff threshold—Threshold number of password retries
after which a delay is introduced between two consecutive password
retries. The default number is 2, but you can set a number
between 1 and 3.
Backoff factor—Delay (in seconds) between consecutive
password retries after the threshold number of password retries. The
default delay is in multiples of 5 seconds, but you can set
a delay between 5 and 10 seconds.
Minimum time—Minimum length of time (in seconds)
during which a Telnet or SSH session cannot be disconnected. The default
is 20 seconds, but you can set a time between 20 and 60 seconds.