Skip to content

5.2.19 Ensure SSH MaxStartups is configured

Audit#

Run the following command: 

# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups

Verify that output MaxStartups is 10:30:60 or more restrictive: 

maxstartups 10:30:60

Run the following command and verify the output: 

# grep -Ei '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config

Nothing should be returned.

Remediation#

Edit the /etc/ssh/sshd_config file to set the parameter as follows: 

MaxStartups 10:30:60

Default Value:

MaxStartups 10:30:100