Skip to content

Commit

Permalink
Merge pull request dev-sec#31 from hardening-io/max_auth_tries
Browse files Browse the repository at this point in the history
Make MaxAuthTries configurable
  • Loading branch information
chris-rock committed Aug 7, 2015
2 parents 09e22ba + ad9ee41 commit 1f36e9a
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
3 changes: 3 additions & 0 deletions roles/ansible-ssh-hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ ssh_listen_to: ['0.0.0.0'] # sshd
# Host keys to look for when starting sshd.
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] # sshd

# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2

ssh_client_alive_interval: 600 # sshd
ssh_client_alive_count: 3 # sshd
# one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!
Expand Down
2 changes: 1 addition & 1 deletion roles/ansible-ssh-hardening/templates/opensshd.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distr

PermitUserEnvironment no
LoginGraceTime 30s
MaxAuthTries 2
MaxAuthTries {{ssh_max_auth_retries}}
MaxSessions 10
MaxStartups 10:30:100

Expand Down

0 comments on commit 1f36e9a

Please sign in to comment.