Limiting the Number of User Login Attempts for SSH Sessions
A remote administrator may login to a device through SSH. Administrator credentials are stored locally on the device. If the remote administrator presents a valid username and password, access to the TOE is granted. If the credentials are invalid, the TOE allows the authentication to be retried after an interval that starts after 1 second and increases exponentially. If the number of authentication attempts exceed the configured maximum, no authentication attempts are accepted for a configured time interval. When the interval expires, authentication attempts are again accepted.
You can configure the device to limit the number of attempts to enter a password while logging through SSH. Using the following command, the connection can terminated if a user fails to login after a specified number of attempts:
[edit system login] user@host# set retry-options tries-before-disconnect <number>
Here, tries-before-disconnect
is the number of times
a user can attempt to enter a password when logging in. The connection
closes if a user fails to log in after the number specified. The range
is from 1 through 10, and the default value is 10.
You can also configure a delay, in seconds, before a user can try to enter a password after a failed attempt.
[edit system login] user@host# set retry-options backoff-threshold <number>
Here, backoff-threshold
is the threshold for the
number of failed login attempts before the user experiences a delay
in being able to enter a password again. Use the backoff-factor
option to specify the length of the delay in seconds. The range
is from 1 through 3, and the default value is 2 seconds.
In addition, the device can be configured to specify the threshold for the number of failed attempts before the user experiences a delay in entering the password again.
[edit system login] user@host# set retry-options backoff-factor <number>
Here, backoff-factor
is the length of time, in seconds,
before a user can attempt to log in after a failed attempt. The delay
increases by the value specified for each subsequent attempt after
the threshold. The range is from 5 through 10, and the default value
is 5 seconds.