[Contents] [Prev] [Next] [Index] [Report an Error]

Limiting the Number of Login Attempts for SSH and Telnet Sessions

Beginning with JUNOS release 8.0, you can limit the number times a user can attempt to enter a password while logging in through SSH or Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. You can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In addition, you can specify the threshold for the number of failed attempts before the user experiences a delay in being able to enter a password again.

To specify the number of times a user can attempt to enter a password while logging in, include the retry-options statement at the [edit system login] hierarchy level:



[edit system login]

retry-options {
tries-before-disconnect number;
backoff-threshold number;
backoff-factor seconds;
minimum-time seconds;
}
password {
}

You can configure the following options.

tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default is 10.
backoff-threshold—Threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range is from 1 through 3, and the default is 2.
backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default is 5 seconds.
minimum-time—Minimum length of time, in seconds, that a connection remains open while a user is attempting to enter a correct password. The range is from 20 through 60, and the default is 40.

[Contents] [Prev] [Next] [Index] [Report an Error]