How to set maximum SSH connections and sessions on a Linux server

Limiting maximum SSH connections and sessions on a bastion or public-facing server protects CPU and memory from overload during peaks of interactive logins, file transfers, and port forwards. Capping concurrency keeps the host responsive for legitimate administration instead of allowing arbitrary numbers of clients to compete for resources.

An OpenSSH daemon reads the /etc/ssh/sshd_config file to control how many connections and sessions are accepted. The MaxStartups directive governs concurrent unauthenticated TCP connections and can apply probabilistic drops using a start:rate:full syntax, while MaxSessions caps the number of interactive shells, subsystems such as sftp, and multiplexed channels opened over a single authenticated connection. Tuning these parameters shapes how sshd behaves under high load or during scanning and brute-force attempts.

Overly strict limits can block legitimate maintenance work, disrupt long-running file transfers, or prevent new administrative sessions during busy periods. Any modification to /etc/ssh/sshd_config requires root or sudo privileges and a restart of the ssh service on systemd-based Linux systems. Testing configuration syntax with sshd -t before restarting and keeping console or out-of-band access available reduces the risk of accidental lockouts.

Related: How to throttle SSH connection attempts
Related: How to limit SSH authentication attempts

Steps to set maximum SSH connections and sessions on a Linux server:

  1. Open a terminal with sudo privileges on the target server. 
    $ whoami
user
  2. Open the /etc/ssh/sshd_config file in a text editor. 
    $ sudo vi /etc/ssh/sshd_config

    Any preferred text editor such as nano or vim can be used to modify /etc/ssh/sshd_config.

  3. Set the maximum number of concurrent unauthenticated connections by configuring the MaxStartups directive. 
    MaxStartups 10:30:60
    MaxStartups
        Specifies the maximum number of concurrent unau‐
        thenticated connections to the SSH daemon.  Addi‐
        tional connections will be dropped until authenti‐
        cation succeeds or the LoginGraceTime expires for
        a connection.  The default is 10:30:100.

        Alternatively, random early drop can be enabled by
        specifying the three colon separated values
        start:rate:full (e.g. "10:30:60").  sshd(8) will
        refuse connection attempts with a probability of
        rate/100 (30%) if there are currently start (10)
        unauthenticated connections.  The probability in‐
         creases linearly and all connection attempts are
         refused if the number of unauthenticated connec‐
         tions reaches full (60).

    Colon-separated values provide more granular control; the following example drops 30% of new connection attempts once there are 10 unauthenticated connections and drops all new attempts once there are 60 concurrent unauthenticated connections. 

    MaxStartups 10:30:60

    Add the line if it does not already exist and remove # at the beginning of the line if present.

    Setting MaxStartups thresholds too low on a busy jump host can cause valid connection attempts to be dropped during short bursts of activity.

  4. Define the maximum number of allowed sessions per connection by setting the MaxSessions directive. 
    MaxSessions 5
    MaxSessions
        Specifies the maximum number of open
        shell, login or subsystem (e.g. sftp)
        sessions permitted per network connec‐
        tion.  Multiple sessions may be estab‐
        lished by clients that support connection
        multiplexing.  Setting MaxSessions to 1
        will effectively disable session multi‐
        plexing, whereas setting it to 0 will
        prevent all shell, login and subsystem
        sessions while still permitting forward‐
        ing.  The default is 10.

    Add the line if it does not already exist and remove # at the beginning of the line if present.

    Setting MaxSessions to 0 blocks new interactive shells and sftp sessions, which can break automation and remote administration workflows.

  5. Save the changes in the /etc/ssh/sshd_config file and exit the editor.
  6. Test the sshd configuration for syntax errors. 
    $ sudo sshd -t

    No output from sshd -t indicates that the configuration syntax is valid.

    Related: How to check and validate the SSH server configuration

  7. Restart the ssh service to apply the updated limits. 
    $ sudo systemctl restart ssh

    Related: How to manage the SSH server service with systemctl in Linux

    Restarting ssh with an invalid configuration can prevent new SSH logins; ensure sshd -t reports no errors and maintain console or out-of-band access.

  8. Confirm that the ssh service is active after the restart. 
    $ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 12:26:05 +08; 142ms ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 13222 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 13225 (sshd)
      Tasks: 1 (limit: 4546)
     Memory: 2.7M (peak: 3.7M)
        CPU: 35ms
     CGroup: /system.slice/ssh.service
             └─13225 \"sshd: /usr/sbin/sshd -D [listener] 0 of 10-60 startups\"
##### snipped #####
  9. Verify that the effective MaxStartups and MaxSessions values match the intended limits. 
    $ sudo sshd -T | grep -E "^(maxstartups|maxsessions)"
maxsessions 5
maxstartups 10:30:60

    The sshd -T command expands settings from /etc/ssh/sshd_config and prints the effective values used by the daemon, including the configured MaxStartups and MaxSessions directives.