Limiting the Number of User Login Attempts for SSH Sessions

You configure the amount of time the device gets locked after failed attempts. The amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in the tries-before-disconnect statement. When a user fails to correctly login after the number of allowed attempts specified by the tries-before-disconnect statement, the user must wait the configured amount of minutes before attempting to log in to the device again. The lockout-period must be greater than zero. The range at which you can configure the lockout-period is one through 43,200 minutes.

[edit system login] 
user@host# set retry-options lockout-period <number>

You can configure the device to limit the number of attempts to enter a password while logging through SSH. Using the following command, the connection.

[edit system login] 
user@host# set retry-options tries-before-disconnect <number>

Here, tries-before-disconnect is the number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 2 through 10, and the default value is 3.

You can also configure a delay, in seconds, before a user can try to enter a password after a failed attempt.

[edit system login] 
user@host# set retry-options backoff-threshold  <number>

Here, backoff-threshold is the threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. The range is from 1 through 3, and the default value is 2 seconds.

In addition, the device can be configured to specify the threshold for the number of failed attempts before the user experiences a delay in entering the password again.

[edit system login] 
user@host# set retry-options backoff-factor  <number>

Here, backoff-factor is the length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default value is 5 seconds.

You can control user access through SSH. By configuring ssh root-login deny , you can ensure the root account remains active and continues to have local administrative privileges to the TOE even if other remote users are logged off.

[edit system] 
user@host# set services ssh root-login deny

The SSH2 protocol provides secure terminal sessions utilizing the secure encryption. The SSH2 protocol enforces running the key-exchange phase and changing the encryption and integrity keys for the session. Key exchange is done periodically, after specified seconds or after specified bytes of data have passed over the connection. You can configure thresholds for SSH rekeying, FCS_SSHS_EXT.1.8 and FCS_SSHC_EXT.1.8. The TSF ensures that within the SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of the transmitted data. When either of the thresholds are reached, a rekey must be performed.

[edit system]
user@host# set services ssh rekey time-limit number

Time limit before renegotiating session keys is 1 through 1440 minutes.

[edit system]
user@host# set services ssh rekey data-limit number

Data limit before renegotiating session keys is 51200 through 4294967295 byte.