The Cisco IOS XE router must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Configure SSH using: ip ssh authentication-retries 3 login block-for 600 attempts 3 within 900
Verify that the Cisco IOS XE router limits the number of consecutive invalid logon attempts to "3" within "15" minutes. The configuration should look similar to the example below: ip ssh authentication-retries 3 login block-for 600 attempts 3 within 900 If the number of consecutive logon attempts is not set to "3" within "15" minutes, this is a finding.