Configuring Password Retry Limits for Telnet and SSH Access

To prevent brute force and dictionary attacks, the services router performs the following actions for Telnet or SSH sessions by default:

Disconnects a session after a maximum of 10 consecutive password retries.
After the second password retry, introduces a delay in multiples of 5 seconds between subsequent password retries.
For example, the services router introduces a delay of 5 seconds between the third and fourth password retry, a delay of 10 seconds between the fourth and fifth password retry, and so on.
Enforces a minimum session time of 20 seconds during which a session cannot be disconnected. Configuring the minimum session time prevents malicious users from disconnecting sessions before the password retry delay goes into effect, and attempting brute force and dictionary attacks with multiple logins.

You can configure the password retry limits for telnet and SSH access. In this example, you configure the services router to take the following actions for Telnet and SSH sessions:

Allow a maximum of 4 consecutive password retries before disconnecting a session.
Introduce a delay in multiples of 5 seconds between password retries that occur after the second password retry.
Enforce a minimum session time of 40 seconds during which a session cannot be disconnected.

To configure password retry limits for telnet and SSH access:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 21.
If you are finished configuring the network, commit the configuration.

Table 21: Configuring Password Retry Limits for Telnet and SSH Access

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Retry options level in the configuration hierarchy.	In the J-Web interface, select CLI Tools>Point and Click CLI. Next to System, click Edit. Next to Login, click Configure or Edit. Next to Retry options, click Configure or Edit.	From the [edit] hierarchy level, enter edit system login retry-options
Configure password retry limits for telnet and SSH access. Tries—Maximum number of consecutive password retries before a SSH or telnet sessions is disconnected. The default number is 10, but you can set a number between 1 and 10. Backoff threshold—Threshold number of password retries after which a delay is introduced between two consecutive password retries. The default number is 2, but you canspecify a value from 1 through 3. Backoff factor—Delay (in seconds) between consecutive password retries after the threshold number of password retries. The default delay is in multiples of 5 seconds, but you can specify a value from 5 through 10 seconds. Minimum time—Minimum length of time (in seconds) during which a telnet or SSH session cannot be disconnected. The default is 20 seconds, but you can specify an interval from 20 through 60 seconds.	In the Tries before disconnect box, type 4. In the Backoff threshold box, type 2. In the Backoff factor box, type 5. In the Minimum time box, type 40. Click OK.	Enter set tries-before-disconnect 4 Enter set backoff-threshold 2 Enter set backoff-factor 5 Enter set minimum-time 40

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Retry options level in the configuration hierarchy.

In the J-Web interface, select CLI Tools>Point and Click CLI.
Next to System, click Edit.
Next to Login, click Configure or Edit.
Next to Retry options, click Configure or Edit.

From the [edit] hierarchy level, enter

edit system login retry-options

Configure password retry limits for telnet and SSH access.

Tries—Maximum number of consecutive password retries before a SSH or telnet sessions is disconnected. The default number is 10, but you can set a number between 1 and 10.
Backoff threshold—Threshold number of password retries after which a delay is introduced between two consecutive password retries. The default number is 2, but you canspecify a value from 1 through 3.
Backoff factor—Delay (in seconds) between consecutive password retries after the threshold number of password retries. The default delay is in multiples of 5 seconds, but you can specify a value from 5 through 10 seconds.
Minimum time—Minimum length of time (in seconds) during which a telnet or SSH session cannot be disconnected. The default is 20 seconds, but you can specify an interval from 20 through 60 seconds.

In the Tries before disconnect box, type 4.
In the Backoff threshold box, type 2.
In the Backoff factor box, type 5.
In the Minimum time box, type 40.
Click OK.

Enter
set tries-before-disconnect 4
Enter
set backoff-threshold 2
Enter
set backoff-factor 5
Enter
set minimum-time 40