How to configure OpenVAS where it is NOT locking out "root" accounts?

Good morning,

Our instance of the OpenVAS scanner keeps locking our “root” account when running on one of our subnets. Is there a way to ensure this does not happen as part of the vulnerability scans? The internal alert we kept receiving: “Login attempt alert for from using SSH, IP will be blocked for 600 seconds.”

Here is our current setup (below).

-Port List: All IANA asigned TCP
-Alive Test: Scan Config Default
-Credentials: None specified (SSH has a dropdown menu for port 22, but nothing is selected).

Scan Tasks:
-Apply Overrides: Yes
-Min QoD: 70%
-Scanner: OpenVAS Default
-Scan Config: Full and Fast

Any assistance or guidance would be helpful as we’d like to utilize this tool. We were under the impression that the Full and Fast does not brute force as it appears to the be only (best) lightweight option.

Thank you!


the obvious option is to exclude the affected machine IP from the scan, second is to do your own “Scan Config” in the “Configuration menu”.

But the best practice for Linux machines is disabling ssh login for root in “/etc/ssh/sshd_config”

# Authentication:
PermitRootLogin yes

Then your normal user account on the machine has ssh login, then use “sudo su -” or “su - root” and switch by password to root.

You can find on Google many articles on how to achieve this.

The following comments have some background info why you shouldn’t do any changes on scanner side:

TLDR; Don’t weaken the scanner and instead configure the target device to not lock accounts in general but only based on the source IP.

If you still want to accept the risk of missing detection of weak / hardcoded default credentials (which is strongly discouraged) the second comment includes some additional info.


Hi CFI. Thank you for the kind reply. Our lockout settings are pretty standard with best practices. The machine in question appears to have been brute forced by OpenVAS with ~60 failed login attempts. We have never seen this before with any other scanner. Do you have any other suggestions (although it sounds like we could disable brute force NVTs)?