1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
documentation_complete: true
title: 'Ensure SSH MaxStartups is configured'
description: |-
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated
connections to the SSH daemon. Additional connections will be dropped until authentication
succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should
add or edit the following line in the <tt>/etc/ssh/sshd_config</tt> file:
<pre>MaxStartups {{{ xccdf_value("var_sshd_set_maxstartups") }}}</pre>
rationale: |-
To protect a system from denial of service due to a large number of pending authentication
connection attempts, use the rate limiting function of MaxStartups to protect availability of
sshd logins and prevent overwhelming the daemon.
severity: medium
identifiers:
cce@rhel8: CCE-90718-8
cce@rhel9: CCE-87872-8
cce@rhel10: CCE-89624-1
cce@sle12: CCE-91678-3
cce@sle15: CCE-91308-7
cce@slmicro5: CCE-93878-7
references:
cis@sle12: 5.2.21
cis@sle15: 5.2.21
ocil_clause: 'maxstartups is not configured'
ocil: |-
To check if MaxStartups is configured, run the following command:
<pre>$ sudo grep -r ^[\s]*MaxStartups /etc/ssh/sshd_config*</pre>
If configured, this command should output the configuration.
template:
name: sshd_lineinfile
vars:
parameter: MaxStartups
xccdf_variable: var_sshd_set_maxstartups
datatype: string
backends:
oval: "off"
|
