MaxStartups latches on, rejecting 100% until restart
Mark Hills
mark at xwax.org
Wed Apr 16 23:34:36 AEST 2025
I have a system where 4 or 5 times now it has locked out new ssh
connections.
It appears as if MaxStartups is not re-allowing connections when the
number of unauthenticated connections drops.
Instead, 100% rejection until sshd is restarted.
The client (even "ssh localhost") gets one of:
kex_exchange_identification: Connection closed by remote host
kex_exchange_identification: read: Connection reset by peer
See the log below; notice how the "xxx connections dropped" increases over
a matter of several hours.
However, this is not the MaxStartups behaviour I expect, as:
- its permanent, until sshd is restarted
- no forks of sshd running, just the listener
- netstat shows no TCP connections
So I observe zero relevant activity, and yet sshd behaves as if 100% of
its slots are holding unauthenticated connections?
This is a virtualised host (not container) running Alpine Linux 3.21.3,
and openssh-9.9_p2-r0 package.
I have no other VMs affected, just this one; despite the same OS and
network (though I expect different patterns of ssh probes)
Relevant configuration in /etc/ssh/sshd_config:
MaxStartups 32:30:64
PerSourceMaxStartups 16
LoginGraceTime 30
2025-04-16T03:18:32 indigo sshd[2690]: error: beginning MaxStartups throttling
2025-04-16T03:18:32 indigo sshd[2690]: drop connection #0 from [193.32.x.x]:39772 on [54.36.x.x]:22 past Maxstartups
2025-04-16T06:33:25 indigo sshd[2690]: error: in MaxStartups throttling for 03:14:53, 220 connections dropped
2025-04-16T06:33:25 indigo sshd[2690]: drop connection #0 from [194.0.x.x]:37228 on [54.36.x.x]:22 past Maxstartups
2025-04-16T06:41:34 indigo sshd[2690]: error: in MaxStartups throttling for 03:23:01, 221 connections dropped
2025-04-16T06:41:34 indigo sshd[2690]: drop connection #0 from [194.0.x.x]:41658 on [54.36.x.x]:22 past Maxstartups
2025-04-16T06:48:01 indigo sshd[2690]: error: in MaxStartups throttling for 03:29:28, 225 connections dropped
2025-04-16T06:48:01 indigo sshd[2690]: drop connection #0 from [54.36.x.x]:39502 on [54.36.x.x]:22 past Maxstartups
2025-04-16T06:59:43 indigo sshd[2690]: error: in MaxStartups throttling for 03:41:11, 227 connections dropped
2025-04-16T06:59:43 indigo sshd[2690]: drop connection #0 from [80.94.x.x]:48100 on [54.36.x.x]:22 past Maxstartups
2025-04-16T07:10:56 indigo sshd[2690]: error: in MaxStartups throttling for 03:52:24, 230 connections dropped
2025-04-16T07:10:56 indigo sshd[2690]: drop connection #0 from [194.0.x.x]:23040 on [54.36.x.x]:22 past Maxstartups
2025-04-16T07:18:01 indigo sshd[2690]: error: in MaxStartups throttling for 03:59:29, 232 connections dropped
2025-04-16T07:18:01 indigo sshd[2690]: drop connection #0 from [54.36.x.x]:38460 on [54.36.x.x]:22 past Maxstartups
2025-04-16T07:31:29 indigo sshd[2690]: error: in MaxStartups throttling for 04:12:56, 237 connections dropped
2025-04-16T07:31:29 indigo sshd[2690]: drop connection #0 from [92.255.x.x]:56538 on [54.36.x.x]:22 past Maxstartups
2025-04-16T07:41:17 indigo sshd[2690]: error: in MaxStartups throttling for 04:22:45, 239 connections dropped
2025-04-16T07:41:17 indigo sshd[2690]: drop connection #0 from [80.94.x.x]:58404 on [54.36.x.x]:22 past Maxstartups
2025-04-16T07:48:01 indigo sshd[2690]: error: in MaxStartups throttling for 04:29:29, 240 connections dropped
2025-04-16T07:48:01 indigo sshd[2690]: drop connection #0 from [54.36.x.x]:57030 on [54.36.x.x]:22 past Maxstartups
2025-04-16T08:01:08 indigo sshd[2690]: error: in MaxStartups throttling for 04:42:36, 242 connections dropped
2025-04-16T08:01:08 indigo sshd[2690]: drop connection #0 from [194.0.x.x]:55362 on [54.36.x.x]:22 past Maxstartups
2025-04-16T08:18:01 indigo sshd[2690]: error: in MaxStartups throttling for 04:59:29, 246 connections dropped
2025-04-16T08:18:01 indigo sshd[2690]: drop connection #0 from [54.36.x.x]:60886 on [54.36.x.x]:22 past Maxstartups
2025-04-16T08:33:41 indigo sshd[2690]: Received signal 15; terminating.
2025-04-16T08:33:41 indigo sshd[27243]: Server listening on 0.0.0.0 port 22.
2025-04-16T08:33:41 indigo sshd[27243]: Server listening on :: port 22.
This information taken from the console tty, before the 08:33 restart:
$ ps afx | grep ssh
26532 pts/0 S+ 0:00 \_ grep ssh
2690 ? S 0:06 sshd: /usr/sbin/sshd [listener] 0 of 32-64 startups
$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 6115
unix 3 [ ] STREAM CONNECTED 6139
[...]
$ netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 2690/sshd [listener
tcp 0 0 localhost:http 0.0.0.0:* LISTEN 2303/nginx.conf
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 2663/smtpd: dispatc
tcp 0 0 0.0.0.0:munin 0.0.0.0:* LISTEN 2268/perl
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN 2303/nginx.conf
tcp 0 0 localhost:postgresql 0.0.0.0:* LISTEN 2388/postgres
tcp 0 0 :::ssh :::* LISTEN 2690/sshd [listener
tcp 0 0 localhost:postgresql :::* LISTEN 2388/postgres
tcp 0 0 localhost:http :::* LISTEN 2303/nginx.conf
tcp 0 0 localhost:smtp :::* LISTEN 2663/smtpd: dispatc
tcp 0 0 :::https :::* LISTEN 2303/nginx.conf
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name
Path
unix 2 [ ACC ] STREAM LISTENING 5703 2388/postgres /tmp/.s.PGSQL.5432
unix 2 [ ACC ] STREAM LISTENING 5702 2388/postgres /run/postgresql/.s.PGSQL.5432
unix 2 [ ACC ] STREAM LISTENING 6306 2661/smtpd: control /run/smtpd.sock
Thanks
--
Mark
More information about the openssh-unix-dev
mailing list