Merge pull request #31 from hardening-io/max_auth_tries

Make MaxAuthTries configurable
dev-sec · Aug 7, 2015 · 9502103 · 9502103
2 parents 4dcf553 + 2bc353b
commit 9502103
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/roles/ansible-ssh-hardening/defaults/main.yml b/roles/ansible-ssh-hardening/defaults/main.yml
@@ -29,6 +29,9 @@ ssh_listen_to: ['0.0.0.0']    # sshd
 # Host keys to look for when starting sshd.
 ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']        # sshd
 
+# Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
+ssh_max_auth_retries: 2
+
 ssh_client_alive_interval: 600          # sshd
 ssh_client_alive_count: 3               # sshd
 # one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!

diff --git a/roles/ansible-ssh-hardening/templates/opensshd.conf.j2 b/roles/ansible-ssh-hardening/templates/opensshd.conf.j2
@@ -121,7 +121,7 @@ UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distr
 
 PermitUserEnvironment no
 LoginGraceTime 30s
-MaxAuthTries 2
+MaxAuthTries {{ssh_max_auth_retries}}
 MaxSessions 10
 MaxStartups 10:30:100