Hi Folks,
To add to above data; please find these data more usefull with SRX boxes,
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28968
[SRX] How to block Telnet and SSH Brute Force log-in attacks
SUMMARY:
How to prevent log-in (username & password) attacks on an SRX, especially attacks such as Brute Force attacks, which involve systematically checking all possible keys until the correct key is found for accessing the device.
SYMPTOMS:
Malicious users sometimes try to log into a secure device by guessing an authorized user's account password. The goal is to protect a device from malicious users by locking out a user account after a number of failed authentication attempts.
SOLUTION:
Junos provides multiple options for blocking Telnet and SSH Brute Force log-in attacks on SRX devices.
Creating a Log-In Attempt Limit
To help prevent Brute Force attacks, set an attempt limit for users to make a mistake in entering their username or password. If the user exceeds the log-in limit, the system will either lock him out or prevent any future log-in attempts for a set amount of time.
Set the following options according to your requirements and commit the changes:
root@SRX# set system login retry-options backoff-threshold ?
Possible completions:
<backoff-threshold> Number of password failures before delay is introduced (1..3)
root@SRX# set backoff-threshold 3
root@SRX# set system login retry-options backoff-factor ?
Possible completions:
<backoff-factor> Delay factor after 'backoff-threshold' password failures
root@SRX# set backoff-factor 10
root@SRX# root@SRX# set system login retry-options tries-before-disconnect ?
Possible completions:
<tries-before-disconnect> Number of times user is allowed to try password (1..10)
root@SRX# set tries-before-disconnect 5
root@SRX# set system login retry-options lockout-period ?
Possible completions:
<lockout-period> Amount of time user account is locked after 'tries-before-disconnect' failures
root@SRX# set system login retry-options lockout-period 4
backoff-threshold: Sets the threshold for the number of failed log-in attempts on the device before the user experiences a delay when attempting to re-enter a password. When a user incorrectly logs into the device and hits the threshold of failed log-in attempts, the user experiences a delay (set in the backoff-factor statement) before he can attempt to log into the device again. The valid range for this option is 1 to 3 attempts.
backoff-factor: Sets the length of the delay, in seconds, after each failed log-in attempt. When a user incorrectly logs into the device, the user must wait the configured amount of time before he can attempt to log into the device again. The length of the delay increases by the backoff-factor value for each subsequent log-in attempted after the value specified in the backoff-threshold statement is reached. The valid range for this option is 5 to 10 seconds.
tries-before-disconnect: Sets the maximum number of times the user is allowed to enter a password in an attempt to log into the device through SSH or Telnet. When the user reaches the maximum number of failed log-in attempts, he is locked out of the device. The user must wait the configured amount of minutes in the lockout-period statement before he can attempt to log back into the device. The tries-before-disconnect statement must be set when the lockout-period statement is set; otherwise, the lockout-period statement is meaningless. The valid value for this option is 1 to 10 attempts.
lockout-period: Sets the amount of time, in minutes, that the user must wait before he can attempt to log into the device after being locked out due to the number of failed log-in attempts specified in the tries-before-disconnect statement. The lockout-period must be greater than zero. The valid range for this option range is 1 to 43,200 minutes.
https://www.juniper.net/techpubs/en_US/junos/topics/example/authentication-login-attempts-ssh-telnet-sessions-limiting.html
Example: Limiting the Number of Login Attempts for SSH and Telnet Sessions to Prevent Unauthorized Access
Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods of stopping brute force attacks from compromising your network security. Brute force attackers execute a large number of login attempts in a short period of time to illegitimately gain access to a private network. By configuring the retry-options command, you can create an increasing delay after each failed login attempt, eventually disconnecting any user who passes your set threshold of login attempts.
The following example shows how to limit the user to four attempts when the user enters a password while logging in through SSH or Telnet. Set the backoff-threshold to 2, the back-off-factor to 5 seconds, and the minimum-time to 40 seconds. The user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. After each subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attempt to enter a correct password, the user experiences an additional 10-second delay, and the connection closes after a total of 40 seconds.
The additional variables maximum-time and lockout-period are not set in this example.
[edit]
system {
login {
retry-options {
backoff-threshold 2;
backoff-factor 5;
minimum-time 40;
tries-before-disconnect 4;
}
password {
}
}
}