how many reverse ssh tunnel can connect to ubuntu server?is there any firewall limit or does it take a resource of my server?

I am using below command to tunnel from client to my server or client:

ssh -fNTR PORT:localhost:22 USER@SERVER_IP

(each PORT is different for each client)

and then on server i am using this command:

ssh CLIENT_USER@localhost -p PORT

In this way how many client can connect to my server simultaneously?

If you have many ssh instances trying to log into the same server at once, you may notice intermittent failures.

By default, sshd limits the number and rate of connections coming in and waiting to be authenticated. The default limit is too small. You may wish to change the default in /etc/ssh/sshd_config:

MaxStartups 10:30:60

to something like:

MaxStartups 999

I discovered this the hard way.

  999 means the server would not care until the 999 times brute force attack attempt has done. also would not drop the connection until it reaches 999 connections that most of the budget line servers become out of the capacity to accept any connections before reaching the 999. probably be hard-capped already before 10% out of 999.
    – Seandex
    Commented May 18, 2020 at 1:17

The only limit is amount of different available ports (~65k assuming you bind only localhost). Some of the ports are reserved and if you would use all of them, you would not be able to initiate the second connection (you need a port for outgoing connection too). So roughly, you can repeat the above procedure 32k times in parallel, but you will most probably run out of resources (RAM, CPU) earlier.


There are also systems that create the reverse tunnel on demand, when you need to connect to a particular remote computer. These include AWS IoT Secure Tunelling and open-source software that I wrote for the same purpose. These eliminate the concerns of having too many reverse tunnels simultaneously open.

My system uses MQTT connections (more specifically, AWS IoT Core, which is a secure MQTT broker with security policy for each client) to tell remote computers to open a reverse SSH tunnel to a proxy using a random port on the proxy. Once the tunnel is open, the remote computer reports back to your laptop/desktop the port number, and the software now establishes a tunnel through the proxy all the way to the remote computer; you do not need to log in to the proxy. Scalability is constrained by the number of active SSH connections to remote computers, not by the total number of remote computers that you can connect to.

  Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented May 2, 2023 at 9:41

