SSH Max Limits and Optimization

By
Joshua Njiru
SSH Maximum Limits and Optimization

SSH Maximum Limits and Optimization

SSH (Secure Shell) is a powerful tool for remote administration and secure data transfer. However, it’s crucial to understand and configure its limits effectively to ensure optimal performance and security. This article will help you understand and configure SSH max limits for optimal performance and security.

Connection Limits

Connection limits in SSH, primarily controlled by settings like

MaxStartups

and

MaxSessions

, are crucial security measures.

MaxStartups

restricts the number of unauthenticated connection attempts, mitigating brute-force attacks.

MaxSessions

limits the number of active sessions per connection, preventing resource exhaustion and potential DoS attacks. These limits, along with other security measures like key-based authentication and firewall rules, contribute to a robust and secure SSH environment.

SSH Max Sessions

  • Default: 10
  • Location:
    /etc/ssh/sshd_config
  • Controls maximum number of simultaneous SSH sessions per connection
MaxSessions <span class="token">10</span>

SSH Max Startups

  • Format:
    start:rate:full
  • Default: 10:30:100
  • Controls unauthenticated connection attempts
MaxStartups <span class="token">10</span>:30:100
<span class="token"># Allows 10 unauthenticated connections</span>
<span class="token"># 30% probability of dropping connections when limit reached</span>
<span class="token"># Full blocking at 100 connections</span>

Client Alive Interval

  • Default: 0 (disabled)
  • Maximum: System dependent
  • Checks client connectivity every X seconds
ClientAliveInterval <span class="token">300</span>

Client Alive Count Max

  • Default: 3
  • Maximum connection check attempts before disconnecting
ClientAliveCountMax <span class="token">3</span>

Authentication Limits

Authentication limits in SSH primarily focus on restricting the number of failed login attempts. This helps prevent brute-force attacks where attackers systematically try various combinations of usernames and passwords to gain unauthorized access. By setting limits on the number of authentication attempts allowed per connection, you can significantly increase the difficulty for attackers to successfully compromise your system.

MaxAuthTries

  • Default: 6
  • Maximum authentication attempts before disconnecting
MaxAuthTries <span class="token">6</span>

LoginGraceTime

  • Default: 120 seconds
  • Time allowed for successful authentication
LoginGraceTime <span class="token">120</span>

System Resource Limits

System-wide Limits

Edit

/etc/security/limits.conf

:

* soft nofile <span class="token">65535</span>
* hard nofile <span class="token">65535</span>

Process Limits

 
<span class="token"># Check current limits</span>
<span class="token">ulimit</span> -n

# Set new limit
ulimit -n 65535

Bandwidth Limits

Bandwidth limits in SSH, while not directly configurable within the SSH protocol itself, are an important consideration for overall system performance. Excessive SSH traffic can consume significant network resources, potentially impacting other applications and services.

Individual User Limits

<span class="token"># In sshd_config</span>
Match User username
RateLimit 5M

Global Rate Limiting

Using iptables:

iptables -A INPUT -p tcp --dport <span class="token">22</span> -m state --state NEW -m limit --limit <span class="token">10</span>/minute -j ACCEPT

Performance Optimization

Compression Settings

<span class="token"># In sshd_config</span>
Compression delayed

Cipher Selection

<span class="token"># Faster ciphers first</span>
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

Keep Alive Settings

Client-side (

~/.ssh/config

):

Host *
ServerAliveInterval <span class="token">60</span>
ServerAliveCountMax <span class="token">3</span>

File Transfer Limits

SFTP Limits

In

sshd_config

:

Subsystem <span class="token">sftp</span> /usr/lib/openssh/sftp-server -l INFO -f LOCAL6
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no

SCP Limits

<span class="token"># Limit SCP bandwidth</span>
<span class="token">scp</span> -l <span class="token">1000</span> <span class="token"># Limits bandwidth to 1000 Kbit/s</span>

Security Maximums

SSH security maximums encompass various settings designed to thwart malicious attacks.

Key Size Limits

  • RSA: 16384 bits (practical max)
  • ECDSA: 521 bits
  • Ed25519: 256 bits (fixed)

Authentication Timeout

<span class="token"># In sshd_config</span>
AuthenticationMethods publickey,keyboard-interactive
MaxAuthTries <span class="token">3</span>
LoginGraceTime <span class="token">60</span>

Monitoring and Logging

Logging Levels

<span class="token"># In sshd_config</span>
LogLevel VERBOSE
SyslogFacility AUTH

Connection Monitoring

<span class="token"># Active connections</span>
<span class="token">who</span> <span class="token">|</span> <span class="token">grep</span> pts
<span class="token"># SSH processes</span>
<span class="token">ps</span> aux <span class="token">|</span> <span class="token">grep</span> <span class="token">ssh</span>
<span class="token"># Connection attempts</span>
<span class="token">tail</span> -f /var/log/auth.log

Troubleshooting

Check Current Limits

 
<span class="token"># System limits</span>
sysctl -a <span class="token">|</span> <span class="token">grep</span> max

# SSH daemon limits
sshd -T | grep max

 
 

# Process limits
cat /proc/sys/fs/file-max

Common Issues and Solutions

  1. Too Many Open Files
<span class="token"># Check current open files</span>
<span class="token">lsof</span> <span class="token">|</span> <span class="token">grep</span> sshd <span class="token">|</span> <span class="token">wc</span> -l
<span class="token"># Increase system limit</span>
<span class="token">echo</span> <span class="token">"fs.file-max = 100000"</span> <span class="token">&gt;&gt;</span> /etc/sysctl.conf
sysctl -p
  1. Connection Drops
<span class="token"># Add to sshd_config</span>
TCPKeepAlive <span class="token">yes</span>
ClientAliveInterval <span class="token">60</span>
ClientAliveCountMax <span class="token">3</span>

Best Practices

  1. Regular Monitoring
<span class="token"># Create monitoring script</span>
<span class="token">#!/bin/bash</span>
<span class="token">echo</span> <span class="token">"Active SSH connections: </span><span class="token">$(</span><span class="token">netstat</span><span class="token"> -tnpa </span><span class="token">|</span> <span class="token">grep</span> <span class="token">'ESTABLISHED.*sshd'</span> <span class="token">|</span> <span class="token">wc</span><span class="token"> -l</span><span class="token">)</span><span class="token">"</span>
<span class="token">echo</span> <span class="token">"Failed attempts: </span><span class="token">$(</span><span class="token">grep</span> <span class="token">"Failed password"</span><span class="token"> /var/log/auth.log </span><span class="token">|</span> <span class="token">wc</span><span class="token"> -l</span><span class="token">)</span><span class="token">"</span>
  1. Automated Cleanup
<span class="token"># Add to crontab</span>
<span class="token">0</span> * * * * <span class="token">pkill</span> -o sshd

Remember to always backup configuration files before making changes and test in a non-production environment first.

 

Similar Articles from Unixmen

How to Fix SSH Connection Refused Error

SSH Port Forwarding: A Detailed Guide with Examples

[Solved] – How to Fix SSH Permission Denied (Publickey) Error Message