Limiting the Number of User Login Attempts for SSH Sessions
An administrator may login to a device through SSH. Administrator credentials are stored locally on the device. If the remote administrator presents a valid username and password, access to the Target of Evaluation (TOE) is granted. If the credentials are invalid, the TOE allows the authentication to be retried after an interval that starts after 1 second and increases exponentially. If the number of authentication attempts exceed the configured maximum, no authentication attempts are accepted for a configured time interval. When the interval expires, authentication attempts are again accepted.
The administrator configure the amount of time the device gets locked after failed attempts. The
amount of time in minutes before the user can attempt to log in to the device after
being locked out due to the number of failed login attempts specified in the
tries-before-disconnect statement. When a user fails to correctly
login after the number of allowed attempts specified by the
tries-before-disconnect statement, the user must wait the
configured amount of minutes before attempting to log in to the device again. The
lockout-period must be greater than zero. The range at which the
administrator can configure the lockout-period is one through 43,200
minutes.
[edit system login] user@host# set retry-options lockout-period <number>
The administrator can configure the device to limit the number of attempts to enter a password while logging through SSH.
[edit system login] user@host# set retry-options tries-before-disconnect <number>
Here, tries-before-disconnect is the number of times
a user can attempt to enter a password when logging in. The connection
closes if a user fails to log in after the number specified. The range
is from 2 through 10, and the default value is 3.
The administrator can also configure a delay, in seconds, before a user can try to enter a password after a failed attempt.
[edit system login] user@host# set retry-options backoff-threshold <number>
Here, backoff-threshold is the threshold for the
number of failed login attempts before the user experiences a delay
in being able to enter a password again. The range is from 1 through
3, and the default value is 2 seconds.
In addition, the device can be configured to specify the threshold for the number of failed attempts before the user experiences a delay in entering the password again.
[edit system login] user@host# set retry-options backoff-factor <number>
Here, backoff-factor is the length of time, in seconds,
before a user can attempt to log in after a failed attempt. The delay
increases by the value specified for each subsequent attempt after
the threshold. The range is from 5 through 10, and the default value
is 5 seconds.
From operational mode, run the following command:
clear system login lockout user <username>The above command can be used by an administrator to manually unlock a user before their lockout period expires.
Lockouts due to failed authentication attempts are not applied to the local console interface. This ensures that an administrator with physical access to the device and valid credentials can always log in via the local console, even if remote access is temporarily disabled due to lockout.
The below command ensures that no 'root' user logins are allowed via SSH:
[edit system] user@host# set services ssh root-login deny