Reduce the SSHD login grace time
LoginGraceTime SSHD configuration determines how many seconds a client
has to successfully authenticate in the SSH server. If the user can’t log in
after the defined time, the server closes the connection. The default value
is 120 seconds.
|This includes the time spent typing a password|
The longer the login grace time is, the more open unauthenticated connections can exist. The default period of 2 minutes is too long, usually a legitimate client authenticates faster. You should reduce this value to avoid malicious clients keeping open connections to attempt a Denial of Service attack.
A reduced time could be an incentive to use key-based authentication instead of passwords. Using SSH keys to authenticate is better both for usability and security reasons.
You need to add or change a setting at the SSHD configuration file.
grep LoginGraceTime /etc/ssh/sshd_config
If the output isn’t empty, the argument is present in the file. Edit the file
/etc/ssh/sshd_config and replace the current
LoginGraceTime value for
60 or less. If the line is commented (contains a leading #), uncomment it
removing the leading #.
If the output is empty, this argument could still be defined in a
/etc/ssh/sshd_config.d/. Check there too:
grep LoginGraceTime /etc/ssh/sshd_config.d/*.conf
If the output isn’t empty, edit the file where the argument is defined, changing its value to 60 or less.
If you couldn’t find the argument definition anywhere, edit the file
/etc/ssh/sshd_config and include the following line:
To apply the changes, restart the SSHD service:
sudo systemctl restart sshd