69

Problem Is: Some SFTP connections are failing in customer environment But using sample code if i test with same server no connection is failed. may be in customer envi many parallel sftp connection started at a time.

I Want to know what is the meaning of MaxStartups 10:30:60

In the above i know only 10 , which means maximum unauthenticated ssh connection allowed. means at same time 12 sssh connection request comes 2 request fail and 10 success.

What is the mean of 30 and 60 ?

Kelly
  • 40,173
  • 4
  • 42
  • 51
Syedsma
  • 1,183
  • 5
  • 17
  • 22
  • 36
    Yes, I realize that it's almost 4 years since this question was closed, but given the stackoverflow is almost always near/at the top of a given Google search and serverfault is not, it always bothers me to see people with legitimate questions being told to GTFO. All of these sites are owned by a single entity now, so why moderators can't move them to a proper place is a mystery, but it's still rude behavior IMO. – ntwrkguru Mar 23 '17 at 11:46

1 Answers1

99

I Want to know what is the meaning of MaxStartups 10:30:60?

10: Number of unauthenticated connections before we start dropping

30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)

60: Maximum number of connections at which we start dropping everything

Straw Hat
  • 902
  • 14
  • 38
phooji
  • 10,086
  • 2
  • 38
  • 45
  • 2
    Source: http://linux.die.net/man/5/sshd_config "Alternatively, random early drop can be enabled by specifying the three colon separated values ''start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a probability of ''rate/100'' (30%) if there are currently ''start'' (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches ''full'' (60)." – phooji Jan 27 '11 at 04:00
  • 5
    Suppose if we want to support 500 connection at a time and no connction must fail then what value we need to set in MaxStartups – Syedsma Jan 27 '11 at 04:11
  • 8
    Just 500 with no colons. – phooji Jan 27 '11 at 05:18
  • So by "Number of unauthenticated connections", is that referring to connection attempts which failed authentication, or connection attempts which have not gotten the chance to even authenticate, or both? For example, if there are currently 60 users who have not exceeded `MaxAuthTries`, and I come along and try to authenticate with the correct credentials, would I be blocked before attempting to authenticate or would it try to authenticate me, then block me if the authentication failed? I'm asking because I can potentially see this being used for DoS attacks – smac89 Mar 31 '23 at 20:30