Profile Applicability:
• Level 1
Description:
The LoginGraceTime option in the SSH daemon (sshd) configuration specifies the time allowed for a user to successfully authenticate before the server disconnects. Proper configuration limits the window for potential brute-force login attempts.
Rationale:
Setting a reasonable LoginGraceTime reduces exposure to automated attacks and unauthorized access attempts by limiting authentication time.
Impact:
Pros:
Helps prevent brute-force and denial-of-service attacks.
Supports secure authentication practices.
Cons:
Setting too short a time may inconvenience users with slow connections.
Default Value:
Defaults vary, often set to 120 seconds if not explicitly configured.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current LoginGraceTime setting in /etc/ssh/sshd_config:
grep ^LoginGraceTime /etc/ssh/sshd_config
Verify the configured timeout value.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Add or update the LoginGraceTime directive, for example:
LoginGraceTime 60
Save the file and restart sshd:
systemctl restart sshd
Confirm the setting:
grep ^LoginGraceTime /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Revert to previous LoginGraceTime settings if necessary.
Restart sshd and verify usability.
References: