How To Protect SSH From Multiple and Parallel Coordinated Attacks
OpenSSH MaxStartups SSH Directive
By limiting the value of Maxstartups SSH directive, the maximum simultaneous number of unauthenticated connections that the SSH server will handle is also decreased. That is, ssh server will be explicitly restricted to a maximum number of simultaneous unauthenticated SSH connections only. Thus, when triggered, SSH daemon service would then ignore and deny other parallel and coordinated SSH brute force attacks with multiple connections and will be continuously dropping SSH connections until a single authentication succeeds or the LoginGraceTime expires from the recent connection.
By default, MaxStartups is set to 10. The smaller the maxstartups value, the smaller the chance of receiving simultaneous and parallel attacks from a single host with multiple connections. Now, to implement this SSH security, backup and modify /etc/ssh/sshd_config SSH configuration file to reflect the sample below SSH directive
The numbers represent start:rate:full legends.
From the above maxstartup value, SSH server will refuse connection attempts with a probability rate of 50% if there are currently 2 unauthenticated sessions. The probability rate increases linearly if SSH connection attempts reaches the full value of 5.
Basically, MaxStartups 2:50:5 allows 2 users to attempt SSH authentication at the same time and ignores any other SSH connections if current SSH connection attempts reaches the value of 5. SSH further ignorance to unauthenticated SSH connection can be override simply by being authenticated or expiring the current logingracetime value.
Remember that when defining SSH maxstartups value, it is also necessary to consider the total number of shell users a SSH server currently.
All is done.