Limit SSH Connection Attempts on Ubuntu

Securing your Ubuntu server from brute-force attacks is crucial, and one effective method is limiting the number of unauthenticated SSH connection attempts. This guide provides a straightforward, step-by-step walkthrough on how to configure the SSH daemon using the MaxStartups and MaxAuthTries directives to restrict concurrent unauthenticated connections and login attempts.

Step 1: Open the SSH Configuration File

To make changes to the SSH daemon configuration, you need to edit the sshd_config file with administrative privileges. Open your terminal and run the following command:

sudo nano /etc/ssh/sshd_config

Step 2: Configure MaxStartups to Limit Unauthenticated Connections

The MaxStartups directive defines the maximum number of concurrent unauthenticated connections allowed to the SSH daemon. This is highly effective at preventing connection-flooding attacks.

Locate the #MaxStartups line (remove the # to uncomment it) or add it if it does not exist. Set it using the start:rate:full syntax:

MaxStartups 10:30:100

Here is what these values mean: * 10 (start): The number of unauthenticated connections allowed before the daemon begins dropping subsequent connection attempts. * 30 (rate): The percentage chance that a new connection will be dropped if the active unauthenticated connections are between the “start” (10) and “full” (100) values. * 100 (full): The absolute maximum number of unauthenticated connections allowed. Any connection attempts beyond this number will be immediately dropped.

For stricter security on a private server, you can lower these values, for example:

MaxStartups 2:30:10

Step 3: Configure MaxAuthTries to Limit Login Attempts

While MaxStartups limits concurrent pending connections, MaxAuthTries limits the number of authentication attempts allowed per connection.

Locate the MaxAuthTries directive in the same file, uncomment it, and set your desired limit. A value of 3 or 4 is recommended:

MaxAuthTries 3

Once a client reaches this limit, the server will disconnect them.

Step 4: Save and Close the File

If you are using the nano text editor: 1. Press Ctrl + O to save. 2. Press Enter to confirm the filename. 3. Press Ctrl + X to exit the editor.

Step 5: Test and Restart the SSH Service

Before restarting the SSH service, verify that your configuration file contains no syntax errors by running:

sudo sshd -t

If the command returns no output, the configuration is valid. Now, apply the changes by restarting the SSH service:

sudo systemctl restart ssh