Does lowering MaxStartups stop password brute force attacks?

It reduces connection storms and resource exhaustion but is not a substitute for key-based auth, firewall rules, or fail2ban-style IP policies. Pair throttling with MaxAuthTries and account lockout policies approved by your security team.

Will CI pipelines break if PerSourceMaxStartups is too low?

Yes. Parallel matrix jobs from one NAT egress can look like a single source IP; measure peak concurrent connections from your runner subnet before tightening PerSource limits.

Where is sshd_config on macOS for Apple Silicon hosts?

Typically /etc/ssh/sshd_config with includes from /etc/ssh/sshd_config.d/. Always run sudo sshd -t before reload and prefer launchctl kickstart for OpenSSH on macOS.

DevOps & Audit April 9, 2026

2026 Cloud Mac SSH MaxStartups & Per-Source Throttling Runbook: Protect Shared Apple Silicon Without Locking Teams Out

MacLogin DevOps Team April 9, 2026 ~12 min read

Platform teams operating a single rented Apple Silicon cloud Mac for dozens of contractors often wake up to “connection reset” tickets that are not network outages—they are sshd admission control doing its job too aggressively, or not at all. This runbook’s conclusion: measure concurrent connection peaks, set MaxStartups and PerSourceMaxStartups with explicit numeric targets, validate with sudo sshd -t, and document rollback hashes beside your CMDB lease ID. You will get a comparison matrix, illustrative baselines (for example 10:30:100 style MaxStartups curves), a nine-step change process tuned to macOS launchd, CI/NAT caveats, and an FAQ aligned to MacLogin regions in Hong Kong, Japan, Korea, Singapore, and the United States.

Combine throttling with keepalive troubleshooting so idle sessions do not masquerade as storms, shared session governance for rostered handovers, and key rotation plus 2FA so brute-force noise drops before you chase sshd limits. For connectivity basics, use MacLogin help and compare fleet sizes on pricing.

Who needs an explicit MaxStartups runbook on leased cloud Macs

Any environment where one public IPv4 fronts a build host shared by humans and automation benefits from written admission targets. Without them, either attackers parallelize password guesses until CPUs thrash, or well-meaning platform engineers set draconian per-source caps that silently strand GitHub Actions behind a corporate NAT.

Contractor-heavy iOS shops where five laptops run ssh, scp, and rsync simultaneously during release week.
SecOps reviewers who ask how you prove fairness under connection floods—throttle settings plus logs answer that narrative.
FinOps leads watching CPU steal time spike when unauthenticated SSH handshakes pile up during credential-spraying campaigns.

Symptoms that point to MaxStartups before you blame Wi-Fi

Random “Connection closed by remote host” during business hours with stable RTT—classic sign the server is shedding new TCP accepts while older sessions stay healthy.
Spiky load averages with sshd at the top though authenticated session counts look modest—handshake storms burn CPU even when auth eventually fails.
CI green/flap pattern where only jobs sharing an egress IP fail, while laptop users succeed—PerSource limits may be mis-sized for NAT fan-out.
Audit questions about “unbounded parallel SSH” with no documented ceiling—compliance teams want numbers, not vibes.

Warning: Never tune these directives on production sshd during a live incident without a second operator watching log show --predicate process == "sshd"; a typo can brick remote access until IPMI or vendor console saves you.

Directive comparison matrix: what each knob actually gates

Directive	What it limits	Typical mistake	Good paired control
`MaxStartups`	Global unauthenticated SSH connections (handshake queue)	Setting only global max without per-IP fairness	`PerSourceMaxStartups` plus firewall rate limits
`PerSourceMaxStartups`	Parallel handshakes from one client IP	Using office NAT defaults when CI bursts from same IP	Separate bastion or higher caps on trusted CIDR Match blocks
`MaxSessions`	Multiplexed sessions per TCP connection	Confusing with total user sessions across all clients	Document `ControlMaster` usage in your internal wiki
`MaxAuthTries`	Password attempts per connection	Expecting it to stop distributed sprays	Keys-only policy + centralized logging to SIEM

Metric: Capture a 7-day p95 of concurrent sshd processes during business hours before changing defaults; aim for headroom of at least 1.5× that p95 when setting global MaxStartups.

Illustrative baselines for small shared leases (not legal advice)

These numbers are starting points for 10–25 named engineers plus light CI; always validate against your own histograms.

Profile	MaxStartups	PerSourceMaxStartups	MaxSessions	Rationale snapshot
Human-only studio	`10:30:60`	8	10	Smooths handshake bursts from VPN reconnect storms
Mixed humans + CI NAT	`20:50:200`	32	20	Allows matrix runners while still penalizing single-IP floods
High-security lockdown	`5:15:40`	4	6	Expect more false positives—pair with bastion jump hosts

Nine-step rollout for MacLogin cloud Macs

Snapshot: Copy /etc/ssh/sshd_config and any sshd_config.d/*.conf into your config repo with ticket ID SSH-THROTTLE-2026.
Measure: Record peak ps -ax | grep sshd | wc -l samples every 15 minutes for one business day.
Draft Match blocks: If CI egress CIDR is known, place generous PerSource limits inside Match Address before global defaults.
Edit directives: Add or adjust MaxStartups/PerSourceMaxStartups/MaxSessions lines; comment old values inline for auditors.
Validate syntax: Run sudo sshd -t; exit code must be 0.
Canary session: Keep one spare authenticated session open while reloading—never rely on a single SSH window.
Reload: Use sudo launchctl kickstart -k system/com.openssh.sshd during an announced window.
Soak test: Fire 20 parallel scripted connects from two IPs (laptop + CI) and confirm none hang beyond 3 seconds at the TCP handshake stage.
Close ticket: Attach before/after stanzas, timestamps in UTC, and rollback one-liner referencing the saved tarball path.

CI, bastion, and NAT patterns that break naive PerSource caps

GitHub-hosted runners change IPs frequently, but self-hosted runners behind a single corporate NAT present one address for 50 concurrent jobs. If you must keep strict global MaxStartups, route automation through a dedicated bastion with its own Match block or split workloads across two MacLogin leases so handshake budgets add linearly.

When engineers also use VNC for GUI debugging, remind them that screen sharing does not replace SSH admission logs—your SIEM should still parse sshd disconnect reasons.

FAQ

Should we expose sshd settings in the customer portal? Treat them as infrastructure-as-code; customers see outcomes (latency, availability), not every directive.

Does this replace a WAF? No—different layer. SSH throttling protects the daemon; application firewalls protect HTTP frontends elsewhere.

How often to revisit? Quarterly or after any major contractor onboarding wave exceeding 30% headcount delta.

Why Mac mini M4 on MacLogin makes throttle tuning measurable

Apple Silicon Mac mini nodes give predictable per-core performance for cryptographic handshakes, which means your MaxStartups experiments produce repeatable graphs instead of noisy x86 turbo skew. MacLogin’s footprint across Hong Kong, Tokyo, Seoul, Singapore, and US metros lets you place the lease near your CI egress, shrinking RTT variance that otherwise looks like timeout failures when the real culprit was a tight PerSource cap. Renting keeps spare hosts inexpensive so you can clone sshd templates across regions, rehearse reload order, and prove to auditors that handshake ceilings are ticketed—not improvised on a laptop under someone’s desk.

When you need another isolation boundary for aggressive throttling tests, add a node from pricing and promote the same playbook once metrics look stable for 14 consecutive days.

Scale SSH capacity across regions with spare leases

Add Apple Silicon hosts per geography so CI and humans do not fight one MaxStartups budget.

Compare nodes SSH connection help