UCF STIG Viewer Logo

The system must disable accounts after three consecutive unsuccessful SSH login attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40355 GEN000000-HPUX0210 SV-52335r1_rule ECLO-1 ECLO-2 Medium
Description
Disabling accounts after a limited number of unsuccessful SSH login attempts improves protection against password guessing attacks.
STIG Date
HP-UX SMSE Security Technical Implementation Guide 2014-02-28

Details

Check Text ( C-46984r1_chk )
If the system is operating in Trusted Mode, this check is not applicable.

For SMSE:
The “UsePAM” attribute in the /opt/ssh/etc/sshd_config configuration file controls whether an account is locked after too many consecutive SSH authentication failures. The default “UsePAM” attribute setting is “no”. Verify the global setting for “UsePAM” is set to “yes”.
# cat /opt/ssh/etc/sshd_config | sed -e 's/^[ \t]*//' grep -v “#” | grep “^UsePAM”

If the /opt/ssh/etc/sshd_config configuration file attribute “UsePAM” is not set to “yes”, this is a finding.
Fix Text (F-45323r1_fix)
If the system is operating in Trusted Mode, no fix is required.

For SMSE only:
Edit the /opt/ssh/etc/sshd_config file and add/uncomment/update the “UsePAM” attribute. See the below example:
UsePAM yes

Save any change(s) before exiting the editor.