mediumaccess-controlverified ✓✓rollback-safe
Limit SSH unauthenticated connection startups
ssh-max-startups · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must limit the number of concurrent unauthenticated connections. MaxStartups uses a start:rate:full format that begins randomly dropping connections once a threshold is reached, preventing connection-flooding denial-of-service attacks.
Rationale
Without startup limits, an attacker can open thousands of unauthenticated SSH connections simultaneously, exhausting the daemon's connection slots and preventing legitimate users from connecting. The 10:30:60 setting begins dropping new connections with 30% probability after 10 pending connections, reaching 100% refusal at 60.
Check → Remediate
Checksshd_effective_config
- key:
- maxstartups
- expected:
- 10:30:60
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- MaxStartups
- value:
- 10:30:60
- separator:
- reload:
- sshd
Framework references
CIS
rhel10 5.1.17rhel8 5.1.20rhel9 5.1.17
NIST 800-53
CM-6SC-5
Live verification
rhel10:checkrhel8:checkrhel9:full
#ssh#denial-of-service#connections