Reduce the SSHD login grace time


The LoginGraceTime SSHD configuration determines how many seconds a client has to successfully authenticate in the SSH server. If the user can’t log in after the defined time, the server closes the connection. The default value is 120 seconds.

This includes the time spent typing a password

Why you should reduce the default SSHD login grace time

The longer the login grace time is, the more open unauthenticated connections can exist. The default period of 2 minutes is too long, usually a legitimate client authenticates faster. You should reduce this value to avoid malicious clients keeping open connections to attempt a Denial of Service attack.

A reduced time could be an incentive to use key-based authentication instead of passwords. Using SSH keys to authenticate is better both for usability and security reasons.

How to avoid denial of service closing unauthenticated SSH connections earlier

You need to add or change a setting at the SSHD configuration file.

Look for LoginGraceTime at /etc/ssh/sshd_config:

grep LoginGraceTime /etc/ssh/sshd_config

If the output isn’t empty, the argument is present in the file. Edit the file /etc/ssh/sshd_config and replace the current LoginGraceTime value for 60 or less. If the line is commented (contains a leading #), uncomment it removing the leading #.

If the output is empty, this argument could still be defined in a .conf file at /etc/ssh/sshd_config.d/. Check there too:

grep LoginGraceTime /etc/ssh/sshd_config.d/*.conf
The /etc/ssh/sshd_config.d/ directory doesn’t exist at Ubuntu 18.04, you only need to check it if you’re using Ubuntu 20.04 or more recent.

If the output isn’t empty, edit the file where the argument is defined, changing its value to 60 or less.

If you couldn’t find the argument definition anywhere, edit the file /etc/ssh/sshd_config and include the following line:

LoginGraceTime 60

To apply the changes, restart the SSHD service:

sudo systemctl restart sshd