Free DISA STIG and SRG Library | Vaulted

V-73973

The Cisco IOS XE router must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

Finding ID
CISR-ND-000015
Rule ID
SV-88647r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000065-NDM-000214
CCI
CCI-000044
Target Key
(None)
Documentable
No
Discussion

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Fix Text

Configure SSH using: ip ssh authentication-retries 3 login block-for 600 attempts 3 within 900

Check Content

Verify that the Cisco IOS XE router limits the number of consecutive invalid logon attempts to "3" within "15" minutes. The configuration should look similar to the example below: ip ssh authentication-retries 3 login block-for 600 attempts 3 within 900 If the number of consecutive logon attempts is not set to "3" within "15" minutes, this is a finding.