Anthony J. Martinez

SSH at Scale - Revisited

The final note in my series on secure operation of SSH at scale will be brief:

Make sure to pay attention to MaxStartups.

Setting this too high will likely cause major performance issues as the CPU on any servers peg, and stay pegged. Setting it too low will negatively impact the systems trying to connect to your server. The setting itself controls how many connections can be in a "startup" state - prior to having completed authentication. Be sure to consider all expected use that sshd may answer, including client probes to verify the server is up. If these are driving a need to increase MaxStartups, try running a separate service specifically to handle these probes. Deconflict ports as needed.