How to manage failed login attempts in SSH

Limiting failed login attempts on SSH reduces exposure to brute-force attacks and keeps remote access predictable. Shorter authentication windows and stricter attempt limits make it harder for automated tools to cycle through passwords while still allowing normal administration tasks.

On most Linux systems, the OpenSSH server reads its configuration from /etc/ssh/sshd_config and enforces parameters such as LoginGraceTime and MaxAuthTries. LoginGraceTime controls how long a new connection may attempt to authenticate before being dropped, while MaxAuthTries defines how many failures are accepted on a single connection before termination.

Tighter values improve security but reduce the margin for typing mistakes or slow authentication methods. Root or sudo access on the server is required to adjust these directives, and configuration syntax should be validated before restarting the ssh service to avoid lockouts. For IP-based blocking and account lockout behaviour, pairing these settings with tools such as fail2ban or PAM-based controls provides additional protection.

1. Open a terminal on the server with access to sudo.

   $ whoami
   user

2. Create a backup of the current /etc/ssh/sshd_config file before changing any settings.

   $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

   Invalid syntax or values in /etc/ssh/sshd_config can prevent new SSH logins; a backup enables rollback from a console or out-of-band session.

3. Open the main SSH daemon configuration file in a text editor with elevated privileges.

   $ sudo vi /etc/ssh/sshd_config
   [sudo] password for user:

   Any text editor such as nano or vim is suitable as long as it is run with sudo.

4. Locate the LoginGraceTime directive and set the time allowed for authentication after a connection is established.

   LoginGraceTime 60

   Remove # at the start of the line to uncomment the directive or add it if it does not exist.

   Units such as s, m, or h are accepted, for example LoginGraceTime 30s or LoginGraceTime 1m; setting the value to 0 disables the grace timer and keeps connections open indefinitely during authentication.

5. Locate the MaxAuthTries directive and set the maximum number of authentication failures permitted per connection.

   MaxAuthTries 3

   Add the directive if it does not exist and remove any leading # to activate it.

   Values between 2 and 4 are common for hardened servers; higher values tolerate more mistakes but provide more room for brute-force attempts.

6. Exit the editor after writing the configuration changes to disk.

   In vi or vim, press :wq and Enter to save the file and quit.

7. Validate the sshd configuration syntax before restarting the service.

   $ sudo sshd -t

   No output indicates that the configuration is syntactically valid; any reported error includes a line number to correct.

8. Restart the ssh service to apply the updated login limits.

   $ sudo systemctl restart ssh

   Related: How to start, restart, and stop the SSH server service
   On some distributions the service name is sshd, in which case use sudo systemctl restart sshd instead.

9. Check that the ssh service is active after the restart.

   $ sudo systemctl status ssh
   ● ssh.service - OpenBSD Secure Shell server
        Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
        Active: active (running) since Thu 2025-12-11 10:15:01 UTC; 5s ago
   ##### snipped #####

   The Active line should show active (running) and recent log lines should not report configuration errors.

10. Test the new limits by attempting authentication with incorrect credentials from a different session or host.

    $ ssh invaliduser@server
    invaliduser@server's password:
    Permission denied, please try again.
    invaliduser@server's password:
    Permission denied, please try again.
    invaliduser@server's password:
    Permission denied (publickey,password).

    The connection ends after the configured number of failures, and matching entries appear in /var/log/auth.log or the system journal via journalctl -u ssh.