Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Configuring Password Retry Limits for Telnet and SSH Access

To prevent brute force and dictionary attacks, the device performs the following actions for Telnet or SSH sessions by default:

• Disconnects a session after a maximum of 10 consecutive password retries.
• After the second password retry, introduces a delay in multiples of 5 seconds between subsequent password retries.

  For example, the device introduces a delay of 5 seconds between the third and fourth password retry, a delay of 10 seconds between the fourth and fifth password retry, and so on.

• Enforces a minimum session time of 20 seconds during which a session cannot be disconnected. Configuring the minimum session time prevents malicious users from disconnecting sessions before the password retry delay goes into effect, and attempting brute force and dictionary attacks with multiple logins.

You can configure the password retry limits for Telnet and SSH access. In this example, you configure the device to take the following actions for Telnet and SSH sessions:

• Allow a maximum of four consecutive password retries before disconnecting a session.
• Introduce a delay in multiples of 5 seconds between password retries that occur after the second password retry.
• Enforce a minimum session time of 40 seconds during which a session cannot be disconnected.

1. Set the maximum number of consecutive password retries before a Telnet or SSH or telnet session is disconnected. The default number is 10, but you can set a number from 1 through 10.
   [edit system login retry-options]user@host# set tries-before-disconnect 4
2. Set the threshold number of password retries after which a delay is introduced between two consecutive password retries. The default number is 2, but you can specify a value from 1 through 3.
   [edit system login retry-options]user@host# set backoff-threshold 2
3. Set the delay (in seconds) between consecutive password retries after the threshold number of password retries. The default delay is in multiples of 5 seconds, but you can specify a value from 5 through 10 seconds.
   [edit system login retry-options]user@host# set backoff-factor 5
4. Set the minimum length of time (in seconds) during which a Telnet or SSH session cannot be disconnected. The default is 20 seconds, but you can specify an interval from 20 through 60 seconds.
   [edit system login retry-options]user@host# set minimum-time 40
5. If you are done configuring the device, enter commit from configuration mode.