How to throttle SSH connection attempts

Limiting concurrent SSH connection attempts reduces the impact of brute-force attacks, aggressive scanners, and misbehaving automation. Controlling how many unauthenticated sessions may start in parallel helps protect CPU, memory, and network resources while keeping legitimate administration paths available.

OpenSSH implements throttling for new inbound sessions through the MaxStartups directive in /etc/ssh/sshd_config. When too many unauthenticated sessions exist at the same time, sshd begins to drop or refuse additional connection attempts according to the configured thresholds, before authentication logic or shell startup is reached.

Values that are too strict can surprise administrators connecting from shared IP addresses, bastion hosts, or automation farms, especially when combined with other limits such as MaxSessions, LoginGraceTime, and MaxAuthTries. The steps below assume OpenSSH running on a systemd-based Linux distribution where the service unit is named ssh; environments using sshd require only minor adjustments to the service commands.

Steps to throttle SSH connection attempts with MaxStartups:

Open a terminal with a sudo-capable account on the Linux server.
```
$ whoami
admin
```
Create a timestamped backup of /etc/ssh/sshd_config before editing.
```
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%Y%m%d%H%M%S)
```
Incorrect MaxStartups values or syntax can block new SSH logins until sshd is fixed and restarted, so a usable backup simplifies recovery.
Open /etc/ssh/sshd_config in a text editor.
```
$ sudo nano /etc/ssh/sshd_config
```
Add or adjust the MaxStartups directive to set the desired throttling limits.
```
MaxStartups 10:30:60
```
In the form MaxStartups start:rate:full, start is the number of unauthenticated connections allowed, rate is the percentage (0–100) of additional attempts that are randomly dropped, and full is the hard cap at which all new unauthenticated connections are dropped.
Optionally use a single integer MaxStartups value to impose a hard cap without probabilistic dropping.
```
MaxStartups 20
```
Single-value MaxStartups limits unauthenticated connections to the specified number and drops all further attempts immediately.
Ensure the editor saves the updated /etc/ssh/sshd_config file.
Test the sshd configuration syntax for errors.
```
$ sudo sshd -t
```
Absence of output indicates that the configuration parses successfully and sshd can start with the new settings.
Reload the ssh service to apply the updated limits without interrupting existing sessions.
```
$ sudo systemctl reload ssh
```
On RHEL and similar systems the service unit is often named sshd so the command becomes sudo systemctl reload sshd.
Confirm that MaxStartups is active by inspecting the effective sshd configuration.
```
$ sudo sshd -T | grep -i maxstartups
maxstartups 10:30:60
```

Optionally monitor the SSH service status and recent log messages for dropped or refused connection attempts.

$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2025-12-11 09:42:01 UTC; 2min 5s ago
##### snipped #####

Connection attempts exceeding MaxStartups limits appear as refused or dropped sessions in system logs such as journalctl -u ssh or /var/log/auth.log.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.