How to limit SSH authentication attempts

Repeated failed SSH logins become harder to contain when each connection can try too many passwords, keys, or keyboard-interactive prompts. OpenSSH uses MaxAuthTries to close a connection after a fixed number of failed authentication attempts, which narrows each guessing window without changing account passwords or locking valid users by itself.

MaxAuthTries is an sshd_config server directive. The upstream default is 6 attempts per connection, and sshd starts logging additional failures once the count reaches half of the configured value. Lowering the setting to 3 is a common hardening choice for password-based or single-key access, while multi-factor sign-ins and clients that offer several keys may need a slightly higher value.

Set the value in the global server configuration unless a per-user or per-address Match block is required. Keep an existing administrative session open while testing, validate the daemon syntax before reload, and prove the effective value with sshd -T before trying a failed-login smoke test from a trusted client.

Related: How to limit failed login attempts in SSH
Related: How to limit SSH LoginGraceTime
Related: How to automatically block failed SSH login attempts

Steps to limit SSH authentication attempts:

  1. Open a terminal on the SSH server with sudo privileges. 
    $ whoami
user
  2. Back up the active daemon configuration file. 
    $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.pre-maxauthtries

    Keep a second administrative session, console, or out-of-band access open until a new SSH connection succeeds. A syntax error or too-strict authentication limit can block new remote logins.

  3. Open the OpenSSH daemon configuration file. 
    $ sudoedit /etc/ssh/sshd_config

    OpenSSH reads /etc/ssh/sshd_config and any files included from it. On systems that use /etc/ssh/sshd_config.d/, place the directive in the included file that your local policy uses.

  4. Set MaxAuthTries in the global server section before any unrelated Match block. 
    # Limit failed authentication attempts per connection
MaxAuthTries 3

    Replace an existing global MaxAuthTries line instead of adding a duplicate. OpenSSH uses the first matching value it reads, so an earlier active line can override a later one.

  5. Run the sshd syntax check. 
    $ sudo sshd -t

    No output means the configuration parsed successfully. Fix any reported file and line before reloading SSH.

    Related: How to test SSH server configuration

  6. Reload the SSH service to apply the setting. 
    $ sudo systemctl reload ssh

    Use sudo systemctl reload sshd on distributions where the service unit is named sshd.

    Related: How to manage the SSH server service with systemctl

  7. Confirm the effective MaxAuthTries value. 
    $ sudo sshd -T | grep -i '^maxauthtries'
maxauthtries 3

    sshd -T prints the final daemon configuration after includes and defaults are applied. If MaxAuthTries is inside a Match block, add the appropriate sshd -T -C user=...,host=...,addr=... context for that login path.

  8. Test failed authentication from a trusted client. 
    $ ssh user@host.example.net
user@host.example.net's password:
Permission denied, please try again.
user@host.example.net's password:
Permission denied, please try again.
user@host.example.net's password:
Received disconnect from 203.0.113.50 port 22:2: Too many authentication failures

    Use a test account or a controlled client for this check. Repeated failed attempts from monitored networks can trigger fail2ban, firewall rules, or upstream intrusion-detection controls.