SSH at Scale - Revisited
The final note in my series on secure operation of SSH at scale will be brief:
Make sure to pay attention to MaxStartups.
Setting this too high will likely cause major performance issues as the CPU
on any servers peg, and stay pegged. Setting it too low will negatively
impact the systems trying to connect to your server. The setting itself
controls how many connections can be in a "startup" state - prior to having
completed authentication. Be sure to consider all expected use that sshd
may answer, including client probes to verify the server is up. If these
are driving a need to increase MaxStartups, try running a separate service
specifically to handle these probes. Deconflict ports as needed.