This module limits the maximum authentication attempts (default to 3)


Nick Anderson

Module stats

Total Downloads: 438
Updated: Dec 23, 2021

Installation version

Released on Dec 3, 2021



cfbs add ssh-max-auth-tries

SSH is one of the most widely used services allowing administrators to connect and manage the system as well as being used for data transfers like backups and port forwarding.

By default 6 attempts are allowed per session. The number of attempts can be reduced to prevent brute force attacks where different passwords are guessed and tried. When half of the attempts are used up failures will be logged on the server making it more likely that an administrator will notice brute force login attempts.

Reducing this to 3 is recommended and an excellent idea in environments where the value may have been configured higher.


Add MaxAuthTries 36 to /etc/ssh/sshd_config and run the policy:

$ grep Tries /etc/ssh/sshd_config
MaxAuthTries 36
$ sudo cf-agent -KIb ssh_max_auth_tries
    info: Using command line specified bundlesequence
    info: Replaced pattern '^\s*(MaxAuthTries\s+(?!3$).*|MaxAuthTries)$' in '/etc/ssh/sshd_config.staged'
    info: replace_patterns promise '^\s*(MaxAuthTries\s+(?!3$).*|MaxAuthTries)$' repaired
    info: Edited file '/etc/ssh/sshd_config.staged'
    info: Copied file '/etc/ssh/sshd_config.staged' to '/etc/ssh/sshd_config.cfnew' (mode '640')
    info: Removed old backup '/etc/ssh/sshd_config.cfsaved'
    info: Backed up '/etc/ssh/sshd_config' as '/etc/ssh/sshd_config.cfsaved'
    info: Moved '/etc/ssh/sshd_config.cfnew' to '/etc/ssh/sshd_config'
    info: Updated '/etc/ssh/sshd_config' from source '/etc/ssh/sshd_config.staged' on 'localhost'
    info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q restart sshd'
    info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q restart sshd'
$ grep Tries /etc/ssh/sshd_config
MaxAuthTries 3

The reason that there is quite a bit of output is because it's a multi-step process:

  • Backup the config
  • Edit the config
  • Replace old config with new config
  • Restart SSH daemon

If you run cf-agent -KI again, there will be no output, no changes will be made, since the configuration is already correct.

How it works

This module ensures that MaxAuthTries is set to 3 unless default:ssh_max_auth_tries.sshd_config[MaxAuthTries] is defined via Augments in which case the value defined via augments is used for the setting in /etc/ssh/sshd_config leveraging lib_sshd_config:global_key_values from the library-sshd-config module.


The following variables are available for customization. If they are not defined via Augments, they will select default values.

Note: In order to target these variables from Augments CFEngine 3.18.0 or higher where the variables key is available is needed.

Specifies the maximum number of authentication attempts permitted per connection. (default 3)


comments powered by Disqus