From 963bf65099dc07b297486555650f47da02975d27 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Mon, 23 Jul 2018 13:12:53 +0300 Subject: [PATCH] roles/common: Limit number of SSH authentication attempts The default in later OpenSSH is 6, which seems too high. If you can't get your password correct after 3 tries then I think you need help. Eventually I'd like an easy way to enable blocking of repeated login attempts at the firewall level. I think it's possible in firewalld. --- roles/common/templates/sshd_config_Debian-9.j2 | 2 +- roles/common/templates/sshd_config_Ubuntu-16.04.j2 | 1 + roles/common/templates/sshd_config_Ubuntu-18.04.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/common/templates/sshd_config_Debian-9.j2 b/roles/common/templates/sshd_config_Debian-9.j2 index c0485ed..698fb4e 100644 --- a/roles/common/templates/sshd_config_Debian-9.j2 +++ b/roles/common/templates/sshd_config_Debian-9.j2 @@ -32,7 +32,7 @@ LogLevel VERBOSE #LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes -#MaxAuthTries 6 +MaxAuthTries 3 #MaxSessions 10 # Password based logins are disabled - only public key based logins are allowed. AuthenticationMethods publickey diff --git a/roles/common/templates/sshd_config_Ubuntu-16.04.j2 b/roles/common/templates/sshd_config_Ubuntu-16.04.j2 index 9640d88..372d012 100644 --- a/roles/common/templates/sshd_config_Ubuntu-16.04.j2 +++ b/roles/common/templates/sshd_config_Ubuntu-16.04.j2 @@ -70,6 +70,7 @@ PrintLastLog yes TCPKeepAlive yes #UseLogin no +MaxAuthTries 3 #MaxStartups 10:30:60 #Banner /etc/issue.net diff --git a/roles/common/templates/sshd_config_Ubuntu-18.04.j2 b/roles/common/templates/sshd_config_Ubuntu-18.04.j2 index b5fa4c6..53eafd9 100644 --- a/roles/common/templates/sshd_config_Ubuntu-18.04.j2 +++ b/roles/common/templates/sshd_config_Ubuntu-18.04.j2 @@ -31,7 +31,7 @@ LogLevel VERBOSE #LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes -#MaxAuthTries 6 +MaxAuthTries 3 #MaxSessions 10 #PubkeyAuthentication yes