How to set maximum SSH connections and sessions on a Linux server

Limiting maximum SSH connections and sessions on a bastion or public-facing server protects CPU and memory from overload during peaks of interactive logins, file transfers, and port forwards. Capping concurrency keeps the host responsive for legitimate administration instead of allowing arbitrary numbers of clients to compete for resources.

An OpenSSH daemon reads the /etc/ssh/sshd_config file to control how many connections and sessions are accepted. The MaxStartups directive governs concurrent unauthenticated TCP connections and can apply probabilistic drops using a start:rate:full syntax, while MaxSessions caps the number of interactive shells, subsystems such as sftp, and multiplexed channels opened over a single authenticated connection. Tuning these parameters shapes how sshd behaves under high load or during scanning and brute-force attempts.

Overly strict limits can block legitimate maintenance work, disrupt long-running file transfers, or prevent new administrative sessions during busy periods. Any modification to /etc/ssh/sshd_config requires root or sudo privileges and a restart of the ssh service on systemd-based Linux systems. Testing configuration syntax with sshd -t before restarting and keeping console or out-of-band access available reduces the risk of accidental lockouts.

Steps to set maximum SSH connections:

Open a terminal with sudo privileges on the target server.
```
$ whoami
user
```
Open the /etc/ssh/sshd_config file in a text editor.
```
$ sudo vi /etc/ssh/sshd_config
[sudo] password for user:
```
Any preferred text editor such as nano or vim can be used to modify /etc/ssh/sshd_config.

Set the maximum number of concurrent unauthenticated connections by configuring the MaxStartups directive.

MaxStartups 10

MaxStartups
        Specifies the maximum number of concurrent unau‐
        thenticated connections to the SSH daemon.  Addi‐
        tional connections will be dropped until authenti‐
        cation succeeds or the LoginGraceTime expires for
        a connection.  The default is 10:30:100.

        Alternatively, random early drop can be enabled by
        specifying the three colon separated values
        start:rate:full (e.g. "10:30:60").  sshd(8) will
        refuse connection attempts with a probability of
        rate/100 (30%) if there are currently start (10)
        unauthenticated connections.  The probability in‐
        creases linearly and all connection attempts are
        refused if the number of unauthenticated connec‐
        tions reaches full (60).

Colon-separated values provide more granular control; the following example drops 50% of new connection attempts once there are 5 unauthenticated connections and drops all new attempts once there are 10 concurrent unauthenticated connections.

MaxStartups 5:50:10

Add the line if it does not already exist and remove # at the beginning of the line if present.

Setting MaxStartups thresholds too low on a busy jump host can cause valid connection attempts to be dropped during short bursts of activity.

Define the maximum number of allowed sessions per connection by setting the MaxSessions directive.

MaxSessions 5

MaxSessions
        Specifies the maximum number of open
        shell, login or subsystem (e.g. sftp)
        sessions permitted per network connec‐
        tion.  Multiple sessions may be estab‐
        lished by clients that support connection
        multiplexing.  Setting MaxSessions to 1
        will effectively disable session multi‐
        plexing, whereas setting it to 0 will
        prevent all shell, login and subsystem
        sessions while still permitting forward‐
        ing.  The default is 10.

Add the line if it does not already exist and remove # at the beginning of the line if present.

Setting MaxSessions to 0 blocks new interactive shells and sftp sessions, which can break automation and remote administration workflows.

Save the changes in the /etc/ssh/sshd_config file and exit the editor.
Test the sshd configuration for syntax errors.
```
$ sudo sshd -t
```
No output from sshd -t indicates that the configuration syntax is valid.
Restart the ssh service to apply the updated limits.
```
$ sudo systemctl restart ssh
```
Related: How to start, restart, and stop the SSH server service

Restarting ssh with an invalid configuration can prevent new SSH logins; ensure sshd -t reports no errors and maintain console or out-of-band access.

Confirm that the ssh service is active after the restart.

$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2025-02-20 10:15:01 UTC; 5s ago
##### snipped #####

Verify that the effective MaxStartups and MaxSessions values match the intended limits.
```
$ sudo sshd -T | grep -E "maxstartups|maxsessions"
maxstartups 5:50:10
maxsessions 5
```
The sshd -T command expands settings from /etc/ssh/sshd_config and prints the effective values used by the daemon, including the configured MaxStartups and MaxSessions directives.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.