SSH Max Limits and Optimization

By
Edwin
SSH Maximum Limits and Optimization

SSH Maximum Limits and Optimization

SSH (Secure Shell) is a powerful tool for remote administration and secure data transfer. However, it’s crucial to understand and configure its limits effectively to ensure optimal performance and security. This article will help you understand and configure SSH max limits for optimal performance and security.

Connection Limits

Connection limits in SSH, primarily controlled by settings like MaxStartups and MaxSessions, are crucial security measures. MaxStartups restricts the number of unauthenticated connection attempts, mitigating brute-force attacks. MaxSessions limits the number of active sessions per connection, preventing resource exhaustion and potential DoS attacks. These limits, along with other security measures like key-based authentication and firewall rules, contribute to a robust and secure SSH environment.

SSH Max Sessions

  • Default: 10
  • Location: /etc/ssh/sshd_config
  • Controls maximum number of simultaneous SSH sessions per connection
MaxSessions 10

SSH Max Startups

  • Format: start:rate:full
  • Default: 10:30:100
  • Controls unauthenticated connection attempts
MaxStartups 10:30:100
# Allows 10 unauthenticated connections
# 30% probability of dropping connections when limit reached
# Full blocking at 100 connections

Client Alive Interval

  • Default: 0 (disabled)
  • Maximum: System dependent
  • Checks client connectivity every X seconds
ClientAliveInterval 300

Client Alive Count Max

  • Default: 3
  • Maximum connection check attempts before disconnecting
ClientAliveCountMax 3

Authentication Limits

Authentication limits in SSH primarily focus on restricting the number of failed login attempts. This helps prevent brute-force attacks where attackers systematically try various combinations of usernames and passwords to gain unauthorized access. By setting limits on the number of authentication attempts allowed per connection, you can significantly increase the difficulty for attackers to successfully compromise your system.

MaxAuthTries

  • Default: 6
  • Maximum authentication attempts before disconnecting
MaxAuthTries 6

LoginGraceTime

  • Default: 120 seconds
  • Time allowed for successful authentication
LoginGraceTime 120

System Resource Limits

System-wide Limits

Edit /etc/security/limits.conf:

* soft nofile 65535
* hard nofile 65535

Process Limits

# Check current limits
ulimit -n# Set new limit
ulimit -n 65535

Bandwidth Limits

Bandwidth limits in SSH, while not directly configurable within the SSH protocol itself, are an important consideration for overall system performance. Excessive SSH traffic can consume significant network resources, potentially impacting other applications and services.

Individual User Limits

# In sshd_config
Match User username
RateLimit 5M

Global Rate Limiting

Using iptables:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 10/minute -j ACCEPT

Performance Optimization

Compression Settings

# In sshd_config
Compression delayed

Cipher Selection

# Faster ciphers first
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

Keep Alive Settings

Client-side (~/.ssh/config):

Host *
ServerAliveInterval 60
ServerAliveCountMax 3

File Transfer Limits

SFTP Limits

In sshd_config:

Subsystem sftp /usr/lib/openssh/sftp-server -l INFO -f LOCAL6
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no

SCP Limits

# Limit SCP bandwidth
scp -l 1000 # Limits bandwidth to 1000 Kbit/s

Security Maximums

SSH security maximums encompass various settings designed to thwart malicious attacks.

Key Size Limits

  • RSA: 16384 bits (practical max)
  • ECDSA: 521 bits
  • Ed25519: 256 bits (fixed)

Authentication Timeout

# In sshd_config
AuthenticationMethods publickey,keyboard-interactive
MaxAuthTries 3
LoginGraceTime 60

Monitoring and Logging

Logging Levels

# In sshd_config
LogLevel VERBOSE
SyslogFacility AUTH

Connection Monitoring

# Active connections
who | grep pts
# SSH processes
ps aux | grep ssh
# Connection attempts
tail -f /var/log/auth.log

Troubleshooting

Check Current Limits

# System limits
sysctl -a | grep max# SSH daemon limits
sshd -T | grep max# Process limits
cat /proc/sys/fs/file-max

Common Issues and Solutions

  1. Too Many Open Files
# Check current open files
lsof | grep sshd | wc -l
# Increase system limit
echo "fs.file-max = 100000" >> /etc/sysctl.conf
sysctl -p
  1. Connection Drops
# Add to sshd_config
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3

Best Practices

  1. Regular Monitoring
# Create monitoring script
#!/bin/bash
echo "Active SSH connections: $(netstat -tnpa | grep 'ESTABLISHED.*sshd' | wc -l)"
echo "Failed attempts: $(grep "Failed password" /var/log/auth.log | wc -l)"
  1. Automated Cleanup
# Add to crontab
0 * * * * pkill -o sshd

Remember to always backup configuration files before making changes and test in a non-production environment first.

 

Similar Articles from Unixmen

How to Fix SSH Connection Refused Error

SSH Port Forwarding: A Detailed Guide with Examples

[Solved] – How to Fix SSH Permission Denied (Publickey) Error Message