Linux - Security - Enforce Number of SSH Login Attempts

What the SSH MaxAuthTries Enforcer does

This Automox Worklet™ configures the MaxAuthTries setting in the SSH daemon to limit the number of authentication attempts per connection. When the limit is reached, the SSH server terminates the connection, forcing the client to establish a new connection to try again.

The Worklet reads the current effective MaxAuthTries value using sshd -T and compares it to your desired setting (default is 4). If the current value exceeds the desired limit, the Worklet updates /etc/ssh/sshd_config and restarts the SSH service.

Before restarting SSH, the Worklet validates the configuration syntax with sshd -t to prevent service disruption from configuration errors. The Worklet only modifies the MaxAuthTries setting, leaving other SSH configuration unchanged.

Why limit SSH authentication attempts

Brute force attacks against SSH services attempt many passwords or keys per connection to maximize efficiency. Limiting authentication attempts per connection forces attackers to reconnect after each failure, significantly slowing automated attacks and making them more detectable in logs.

CIS Benchmarks recommend setting MaxAuthTries to 4 or fewer attempts. This setting provides a balance between security and usability, allowing legitimate users with multiple SSH keys to authenticate while limiting attack attempts.

Combined with other SSH hardening measures like key-based authentication and fail2ban, limiting MaxAuthTries creates multiple layers of protection against unauthorized access attempts.

How MaxAuthTries enforcement works

1. Evaluation phase: The Worklet verifies the sshd service is running, then queries the effective MaxAuthTries value using sshd -T. If the current value exceeds the desired setting (default 4), the endpoint is flagged for remediation. If the values match, no changes are needed.

2. Remediation phase: The Worklet removes existing MaxAuthTries lines from sshd_config using sed, then appends the desired setting. It validates the configuration with sshd -t and restarts the SSH service using systemctl restart sshd. A final check confirms the new setting is active.

MaxAuthTries configuration requirements

• SSH server installed with configuration at /etc/ssh/sshd_config

• SSH service (sshd) currently running on the endpoint

• Root or sudo privileges for configuration changes and service restart

• Optional: Adjust desired_maxauthtries variable to set a different limit (default is 4)

Expected SSH behavior after configuration

After successful remediation, SSH connections are terminated after the configured number of failed authentication attempts. You can verify this change by checking the relevant system configuration. Running sshd -T | grep maxauthtries displays the new limit. The setting applies to all new SSH connections.

Legitimate users with multiple SSH keys may need to configure their SSH client to try fewer keys or specify the correct key explicitly. Users attempting more than the allowed number of authentication methods per connection receive a Too many authentication failures error and must reconnect.