SSH Max Limits and Optimization

(0 reviews)

https://codenamejessica.com/blogs/entry/131-ssh-max-limits-and-optimization/

By: Joshua Njiru
Wed, 15 Jan 2025 17:38:03 +0000

SSH Maximum Limits and Optimization

SSH (Secure Shell) is a powerful tool for remote administration and secure data transfer. However, it’s crucial to understand and configure its limits effectively to ensure optimal performance and security. This article will help you understand and configure SSH max limits for optimal performance and security.

Connection Limits

Connection limits in SSH, primarily controlled by settings like

MaxStartups

and

MaxSessions

, are crucial security measures.

MaxStartups

restricts the number of unauthenticated connection attempts, mitigating brute-force attacks.

MaxSessions

limits the number of active sessions per connection, preventing resource exhaustion and potential DoS attacks. These limits, along with other security measures like key-based authentication and firewall rules, contribute to a robust and secure SSH environment.

SSH Max Sessions

Default: 10
Location:
/etc/ssh/sshd_config
Controls maximum number of simultaneous SSH sessions per connection

MaxSessions 10

SSH Max Startups

Format:
start:rate:full
Default: 10:30:100
Controls unauthenticated connection attempts

MaxStartups 10:30:100
# Allows 10 unauthenticated connections
# 30% probability of dropping connections when limit reached
# Full blocking at 100 connections

Client Alive Interval

Default: 0 (disabled)
Maximum: System dependent
Checks client connectivity every X seconds

ClientAliveInterval 300

Client Alive Count Max

Default: 3
Maximum connection check attempts before disconnecting

ClientAliveCountMax 3

Authentication Limits

Authentication limits in SSH primarily focus on restricting the number of failed login attempts. This helps prevent brute-force attacks where attackers systematically try various combinations of usernames and passwords to gain unauthorized access. By setting limits on the number of authentication attempts allowed per connection, you can significantly increase the difficulty for attackers to successfully compromise your system.

MaxAuthTries

Default: 6
Maximum authentication attempts before disconnecting

MaxAuthTries 6

LoginGraceTime

Default: 120 seconds
Time allowed for successful authentication

LoginGraceTime 120

System Resource Limits

System-wide Limits

Edit

/etc/security/limits.conf

* soft nofile 65535
* hard nofile 65535

Process Limits

# Check current limits
ulimit -n

# Set new limit
ulimit -n 65535

Bandwidth Limits

Bandwidth limits in SSH, while not directly configurable within the SSH protocol itself, are an important consideration for overall system performance. Excessive SSH traffic can consume significant network resources, potentially impacting other applications and services.

Individual User Limits

# In sshd_config
Match User username
RateLimit 5M

Global Rate Limiting

Using iptables:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 10/minute -j ACCEPT

Performance Optimization

Compression Settings

# In sshd_config
Compression delayed

Cipher Selection

# Faster ciphers first
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

Keep Alive Settings

Client-side (

~/.ssh/config

Host *
ServerAliveInterval 60
ServerAliveCountMax 3

File Transfer Limits

SFTP Limits

sshd_config

Subsystem sftp /usr/lib/openssh/sftp-server -l INFO -f LOCAL6
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no

SCP Limits

# Limit SCP bandwidth
scp -l 1000 # Limits bandwidth to 1000 Kbit/s

Security Maximums

SSH security maximums encompass various settings designed to thwart malicious attacks.

Key Size Limits

RSA: 16384 bits (practical max)
ECDSA: 521 bits
Ed25519: 256 bits (fixed)

Authentication Timeout

# In sshd_config
AuthenticationMethods publickey,keyboard-interactive
MaxAuthTries 3
LoginGraceTime 60

Monitoring and Logging

Logging Levels

# In sshd_config
LogLevel VERBOSE
SyslogFacility AUTH

Connection Monitoring

# Active connections
who | grep pts

# SSH processes
ps aux | grep ssh

# Connection attempts
tail -f /var/log/auth.log

Troubleshooting

Check Current Limits

# System limits
sysctl -a | grep max

# SSH daemon limits
sshd -T | grep max

# Process limits
cat /proc/sys/fs/file-max

Common Issues and Solutions

Too Many Open Files

# Check current open files
lsof | grep sshd | wc -l

# Increase system limit
echo "fs.file-max = 100000" >> /etc/sysctl.conf
sysctl -p

Connection Drops

# Add to sshd_config
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3

Best Practices

Regular Monitoring

# Create monitoring script
#!/bin/bash
echo "Active SSH connections: $(netstat -tnpa | grep 'ESTABLISHED.*sshd' | wc -l)"
echo "Failed attempts: $(grep "Failed password" /var/log/auth.log | wc -l)"

Automated Cleanup

# Add to crontab
0 * * * * pkill -o sshd

Remember to always backup configuration files before making changes and test in a non-production environment first.

Similar Articles from Unixmen

How to Fix SSH Connection Refused Error

SSH Port Forwarding: A Detailed Guide with Examples

[Solved] – How to Fix SSH Permission Denied (Publickey) Error Message

The post SSH Max Limits and Optimization appeared first on Unixmen.

Sign In

Welcome to CodeNameJessica

✨ Welcome to CodeNameJessica! ✨