← Rules Catalog
mediumaccess-controlverified ✓✓rollback-safe

Limit SSH unauthenticated connection startups

ssh-max-startups · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must limit the number of concurrent unauthenticated connections. MaxStartups uses a start:rate:full format that begins randomly dropping connections once a threshold is reached, preventing connection-flooding denial-of-service attacks.

Rationale

Without startup limits, an attacker can open thousands of unauthenticated SSH connections simultaneously, exhausting the daemon's connection slots and preventing legitimate users from connecting. The 10:30:60 setting begins dropping new connections with 30% probability after 10 pending connections, reaching 100% refusal at 60.

Check → Remediate

Checksshd_effective_config
key:
maxstartups
expected:
10:30:60
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
MaxStartups
value:
10:30:60
separator:
reload:
sshd

Framework references

CIS

rhel10 5.1.17rhel8 5.1.20rhel9 5.1.17

NIST 800-53

CM-6SC-5

Live verification

rhel10:checkrhel8:checkrhel9:full
#ssh#denial-of-service#connections