Profile Applicability:
 • Level 1

Description:
The LoginGraceTime option in the SSH daemon (sshd) configuration specifies the time allowed for a user to successfully authenticate before the server disconnects. Proper configuration limits the window for potential brute-force login attempts.

Rationale:
 Setting a reasonable LoginGraceTime reduces exposure to automated attacks and unauthorized access attempts by limiting authentication time.

Impact:
 Pros:

  • Helps prevent brute-force and denial-of-service attacks.

  • Supports secure authentication practices.

Cons:

  • Setting too short a time may inconvenience users with slow connections.

Default Value:
 Defaults vary, often set to 120 seconds if not explicitly configured.

Pre-requisites:

  • Root or sudo privileges to modify SSH daemon configuration.

Remediation:

Test Plan:

Using Linux command line:

Check current LoginGraceTime setting in /etc/ssh/sshd_config:

grep ^LoginGraceTime /etc/ssh/sshd_config
  1. Verify the configured timeout value.

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:

vi /etc/ssh/sshd_config

Add or update the LoginGraceTime directive, for example:

LoginGraceTime 60

Save the file and restart sshd:

systemctl restart sshd

Confirm the setting:

grep ^LoginGraceTime /etc/ssh/sshd_config


Backout Plan:

Using Linux command line:

  1. Revert to previous LoginGraceTime settings if necessary.

  2. Restart sshd and verify usability.

References: