Enable SSH MaxAuthTries

What the SSH MaxAuthTries configuration does

This Automox Worklet™ configures the MaxAuthTries parameter in /etc/ssh/sshd_config to limit the number of authentication attempts allowed per SSH connection. By default, OpenSSH allows 6 attempts, but this Worklet sets a more restrictive limit of 4 attempts.

When an SSH client exceeds the MaxAuthTries limit, the server disconnects the session. This forces attackers to establish new connections for additional attempts, slowing down brute force attacks and making them more detectable in logs.

Why limit SSH authentication attempts

SSH brute force attacks are among the most common threats facing Linux servers exposed to the internet. Attackers use automated tools to try thousands of username and password combinations. Limiting authentication attempts slows these attacks and triggers more connection events for security monitoring.

CIS Benchmarks recommend setting MaxAuthTries to 4 or less. This configuration balances security with usability, allowing legitimate users a reasonable number of attempts while frustrating automated attacks. Combined with fail2ban or similar tools, this setting provides defense in depth.

The Worklet includes an optional sshd restart (disabled by default) that you can enable by uncommenting the service restart line in the remediation script. Without a restart, the new setting takes effect on the next sshd service restart or system reboot.

How MaxAuthTries configuration works

1. Evaluation phase: Always triggers remediation (exit 1) to apply the configuration. This is a run-once hardening action.

2. Remediation phase: Checks if sshd is running, then searches for an existing MaxAuthTries line in /etc/ssh/sshd_config. If found, updates the value to 4 using sed. If not found, appends MaxAuthTries 4 to the file. Optionally restarts sshd if the restart line is uncommented.

SSH authentication limit requirements

• Linux endpoints with OpenSSH server installed and running

• Root privileges for the Automox agent

• To change the limit, modify the tries variable in the remediation script

• To enable immediate application, uncomment the service sshd restart line

Expected SSH behavior after configuration

After remediation and sshd restart, SSH clients are disconnected after 4 failed authentication attempts per connection. Verify with sshd -T | grep maxauthtries which should return maxauthtries 4. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Legitimate users who mistype their password a few times may be disconnected and need to reconnect. This is expected behavior. Users with SSH key authentication are less affected since key-based auth typically succeeds on the first attempt.

How to validate enable ssh maxauthtries changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for enable ssh maxauthtries.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as grep, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable ssh maxauthtries. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as grep, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.