Juniper Networks J-Series manual Configuring Password Retry Limits for Telnet and SSH Access

J-series™ Services Router Administration Guide

Table 20: CLI ssh Command Options (continued)

Configuring Password Retry Limits for Telnet and SSH Access

To prevent brute force and dictionary attacks, the Services Router takes the following actions for Telnet or SSH sessions by default:

■Disconnects a session after a maximum of 10 consecutive password retries.

■After the second password retry, introduces a delay in multiples of 5 seconds between subsequent password retries.

For example, the Services Router introduces a delay of 5 seconds between the third and fourth password retry, a delay of 10 seconds between the fourth and fifth password retry, and so on.

■Enforces a minimum session time of 20 seconds during which a session cannot be disconnected. Configuring the minimum session time prevents malicious users from disconnecting sessions before the password retry delay goes into effect, and attempting brute force and dictionary attacks with multiple logins.

You can configure the password retry limits for Telnet and SSH access. In this example, you configure the Services Router to take the following actions for Telnet and SSH sessions:

■Allow a maximum of 4 consecutive password retries before disconnecting a session.

■Introduce a delay in multiples of 5 seconds between password retries that occur after the second password retry.

■Enforce a minimum session time of 40 seconds during which a session cannot be disconnected.

To configure password retry limits for Telnet and SSH access:

1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.

2.Perform the configuration tasks described in Table 21 on page 27.

3.If you are finished configuring the network, commit the configuration.

26■ Configuring Password Retry Limits for Telnet and SSH Access