Technical Documentation

Limiting the Number of User Login Attempts for SSH and Telnet Sessions

You can limit the number of times a user can attempt to enter a password while logging in through SSH or Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. You can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In addition, you can specify the threshold for the number of failed attempts before the user experiences a delay in being able to enter a password again.

To specify the number of times a user can attempt to enter a password while logging in, include the retry-options statement at the [edit system login] hierarchy level:

[edit system login]retry-options {tries-before-disconnect number;backoff-threshold number;backoff-factor seconds;maximum-time secondsminimum-time seconds;}

You can configure the following options:

  • tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default is 10.
  • backoff-threshold—Threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range is from 1 through 3, and the default is 2.
  • backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default is 5 seconds.
  • maximum-time seconds—Maximum length of time, in seconds, that the connection remains open for the user to enter a username and password to log in. If the user remains idle and does not enter a username and password within the configured maximum-time, the connection is closed. The range is from 20 through 300 seconds, and the default is 120 seconds.
  • minimum-time—Minimum length of time, in seconds, that a connection remains open while a user is attempting to enter a correct password. The range is from 20 through 60, and the default is 40.

Published: 2010-04-26