How to limit SSH authentication attempts

Repeated failed SSH logins become harder to contain when each connection can try too many passwords, keys, or keyboard-interactive prompts. OpenSSH uses MaxAuthTries to close a connection after a fixed number of failed authentication attempts, which narrows each guessing window without changing account passwords or locking valid users by itself.

MaxAuthTries is an sshd_config server directive. The upstream default is 6 attempts per connection, and sshd starts logging additional failures once the count reaches half of the configured value. Lowering the setting to 3 is a common hardening choice for password-based or single-key access, while multi-factor sign-ins and clients that offer several keys may need a slightly higher value.

Set the value in the global server configuration unless a per-user or per-address Match block is required. Keep an existing administrative session open while testing, validate the daemon syntax before reload, and prove the effective value with sshd -T before trying a failed-login smoke test from a trusted client.

Steps to limit SSH authentication attempts:

Open a terminal on the SSH server with sudo privileges.
```
$ whoami
user
```
Back up the active daemon configuration file.
```
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.pre-maxauthtries
```
Keep a second administrative session, console, or out-of-band access open until a new SSH connection succeeds. A syntax error or too-strict authentication limit can block new remote logins.
Open the OpenSSH daemon configuration file.
```
$ sudoedit /etc/ssh/sshd_config
```
OpenSSH reads /etc/ssh/sshd_config and any files included from it. On systems that use /etc/ssh/sshd_config.d/, place the directive in the included file that your local policy uses.
Set MaxAuthTries in the global server section before any unrelated Match block.
```
# Limit failed authentication attempts per connection
MaxAuthTries 3
```
Replace an existing global MaxAuthTries line instead of adding a duplicate. OpenSSH uses the first matching value it reads, so an earlier active line can override a later one.
Run the sshd syntax check.
```
$ sudo sshd -t
```
No output means the configuration parsed successfully. Fix any reported file and line before reloading SSH.

Related: How to test SSH server configuration
Reload the SSH service to apply the setting.
```
$ sudo systemctl reload ssh
```
Use sudo systemctl reload sshd on distributions where the service unit is named sshd.

Related: How to manage the SSH server service with systemctl
Confirm the effective MaxAuthTries value.
```
$ sudo sshd -T | grep -i '^maxauthtries'
maxauthtries 3
```
sshd -T prints the final daemon configuration after includes and defaults are applied. If MaxAuthTries is inside a Match block, add the appropriate sshd -T -C user=...,host=...,addr=... context for that login path.

Test failed authentication from a trusted client.

$ ssh user@host.example.net
user@host.example.net's password:
Permission denied, please try again.
user@host.example.net's password:
Permission denied, please try again.
user@host.example.net's password:
Received disconnect from 203.0.113.50 port 22:2: Too many authentication failures

Use a test account or a controlled client for this check. Repeated failed attempts from monitored networks can trigger fail2ban, firewall rules, or upstream intrusion-detection controls.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.