Limit the Number of User Login Attempts for SSH Sessions
An administrator may login remotely to a device through SSH. Administrator credentials are stored locally on the device. If the remote administrator presents a valid username and password, access to the TOE is granted. If the credentials are invalid, the TOE allows the authentication to be retried after an interval that starts after 1 second and increases exponentially. If the number of authentication attempts exceed the configured maximum, no authentication attempts are accepted for a configured time interval. When the interval expires, authentication attempts are again accepted.
You configure the amount of time the device gets locked after failed attempts. The amount of time
in minutes before the user can attempt to log in to the device after being locked out
due to the number of failed login attempts specified in the
tries-before-disconnect statement. When a user fails to correctly
login after the number of allowed attempts specified by the
tries-before-disconnect statement, the user must wait the
configured amount of minutes before attempting to log in to the device again. During
this lockout-period, other users (whose accounts were not locked) can still access the
TOE.
The lockout-period must be greater than zero. The range at which you can configure the lockout-period is one through 43,200 minutes.
[edit system login] security-administrator@host:fips# set retry-options lockout-period number
You can configure the device to limit the number of attempts to enter a password while logging through SSH. Use the following command to limit the number of login attempts.
[edit system login] security-administrator@host:fips# set retry-options tries-before-disconnect number
Here, tries-before-disconnect is the number of times
a user can attempt to enter a password when logging in. The connection
closes if a user fails to log in after the number specified. The range
is from 1 through 10, and the default value is 10.
You can also configure a delay, in seconds, before a user can try to enter a password after a failed attempt.
[edit system login] security-administrator@host:fips# set retry-options backoff-threshold number
Here, backoff-threshold is the threshold for the
number of failed login attempts before the user experiences a delay
in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range
is from 1 through 3, and the default value is 2 seconds.
In addition, the device can be configured to specify the threshold for the number of failed attempts before the user experiences a delay in entering the password again.
[edit system login] security-administrator@host:fips# set retry-options backoff-factor number
Here, backoff-factor is the length of time, in seconds,
before a user can attempt to log in after a failed attempt. The delay
increases by the value specified for each subsequent attempt after
the threshold. The range is from 5 through 10, and the default value
is 5 seconds.
You can control user access through SSH by configuring ssh root-login
deny.
[edit system] security-administrator@host:fips# set services ssh root-login deny
You can use the clear system login lockout user username
command to restore account access.
The SSH2 protocol provides secure terminal sessions utilizing the secure encryption. The SSH2 protocol enforces running the key-exchange phase and changing the encryption and integrity keys for the session. Key exchange is done periodically, after specified seconds or after specified bytes of data have passed over the connection. You can configure thresholds for SSH rekeying. The TSF ensures that within the SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of the transmitted data. When either of the thresholds are reached, a rekey must be performed.
[edit system] security-administrator@host:fips# set services ssh rekey time-limit 60
[edit system] security-administrator@host:fips# set services ssh rekey data-limit 1073741824
For SSH connection being unintentionally broken, we need to re-initiate the SSH connection to log in back to TOE.
When the system exceeds 128 pre authentication packets limits, the connection requests are rejected. This prevents potential denial-of-service (DoS) attacks due to excessive memory consumption. You can adjust this limit using the CLI:
[edit system] security-administrator@host:fips# set services ssh max-pre-authentication-packets value
The max-pre-authentication-packets number option defines the maximum
number of pre-authentication SSH packets that the SSH server will accept prior to user
authentication. The range is from 20 through 2147483647 packets, and the default value
is 128 packets. You should avoid using any value greater than 128 packets to maintain
effective protection against DoS attacks.
Upon performing zeroization, the system removes the old SSH host keys and regenerates new ones.