Title

The system must disable accounts after three consecutive unsuccessful SSH login attempts. (Cat II impact)

Discussion

Disabling accounts after a limited number of unsuccessful SSH login attempts improves protection against password guessing attacks.

Check Content

If the system is operating in Trusted Mode, this check is not applicable. For SMSE: The “UsePAM” attribute in the /opt/ssh/etc/sshd_config configuration file controls whether an account is locked after too many consecutive SSH authentication failures. The default “UsePAM” attribute setting is “no”. Verify the global setting for “UsePAM” is set to “yes”. # cat /opt/ssh/etc/sshd_config | sed -e 's/^[ \t]*//' grep -v “#” | grep “^UsePAM” If the /opt/ssh/etc/sshd_config configuration file attribute “UsePAM” is not set to “yes”, this is a finding.

Fix Text

If the system is operating in Trusted Mode, no fix is required. For SMSE only: Edit the /opt/ssh/etc/sshd_config file and add/uncomment/update the “UsePAM” attribute. See the below example: UsePAM yes Save any change(s) before exiting the editor.

Additional Identifiers

Rule ID: SV-52335r1_rule

Vulnerability ID: V-40355

Group Title: GEN000000-HPUX0210

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.