iCompaas Support

Profile Applicability:
 • Level 1

Description:
The LoginGraceTime option in the SSH daemon (sshd) configuration specifies the time allowed for a user to successfully authenticate before the server disconnects. Proper configuration limits the window for potential brute-force login attempts.

Rationale:
 Setting a reasonable LoginGraceTime reduces exposure to automated attacks and unauthorized access attempts by limiting authentication time.

Impact:
 Pros:

• Helps prevent brute-force and denial-of-service attacks.
  
  

• Supports secure authentication practices.
  
  

Cons:

• Setting too short a time may inconvenience users with slow connections.
  
  

Default Value:
 Defaults vary, often set to 120 seconds if not explicitly configured.

Pre-requisites:

• Root or sudo privileges to modify SSH daemon configuration.
  
  

Remediation:

Test Plan:

Using Linux command line:

Check current LoginGraceTime setting in /etc/ssh/sshd_config:

grep ^LoginGraceTime /etc/ssh/sshd_config

1. Verify the configured timeout value.
   
   

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:

vi /etc/ssh/sshd_config

Add or update the LoginGraceTime directive, for example:

LoginGraceTime 60

Save the file and restart sshd:

systemctl restart sshd

Confirm the setting:

grep ^LoginGraceTime /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

1. Revert to previous LoginGraceTime settings if necessary.
   
   

2. Restart sshd and verify usability.
   
   

References:

• NIST SP 800-53 Revision 5 - AC-7