iCompaas Support

Profile Applicability:
 • Level 1

Description:
 The ClientAliveInterval and ClientAliveCountMax settings in the SSH daemon (sshd) configuration help detect and terminate inactive SSH sessions. Properly configuring these parameters improves session management and security by closing idle connections.

Rationale:
 Closing idle SSH sessions reduces the risk of unauthorized access via abandoned connections and helps free system resources.

Impact:
 Pros:

• Improves security by limiting idle session duration.
  
  

• Helps prevent potential hijacking of inactive sessions.
  
  

Cons:

• May disconnect users during temporary network issues if values are too aggressive.
  
  

Default Value:
 Defaults vary; often, these parameters are unset or configured with long intervals.

Pre-requisites:

• Root or sudo privileges to modify SSH daemon configuration.
  
  

Remediation:

Test Plan:

Using Linux command line:

Check current settings in /etc/ssh/sshd_config:

grep -E '^ClientAliveInterval|^ClientAliveCountMax' /etc/ssh/sshd_config

1. Verify the values for both parameters.
   
   

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:

vi /etc/ssh/sshd_config

Add or update the following directives with recommended values, for example:

ClientAliveInterval 300  

ClientAliveCountMax 3

Save the file and restart sshd:

systemctl restart sshd

Verify the configuration:

grep -E '^ClientAliveInterval|^ClientAliveCountMax' /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

1. Revert to previous values if needed.
   
   

2. Restart sshd and confirm connectivity.
   
   

References:

• NIST SP 800-53 Revision 5 - AC-11