When system resources are overwhelmed by rogue processes or denial-of-service attacks, SSH access often becomes sluggish or unresponsive. This creates a dangerous situation where administrators can't perform critical remediation tasks. By adjusting the nice value of the SSH daemon (sshd), we can ensure it maintains sufficient CPU priority during system stress.
For modern Linux systems (kernel 2.6.24+), control groups provide the most reliable solution:
# Create a dedicated cgroup for sshd sudo cgcreate -g cpu:/sshd_priority # Set CPU shares (higher = more priority) echo 1024 > /sys/fs/cgroup/cpu/sshd_priority/cpu.shares # Apply to sshd via systemd sudo systemctl edit ssh.service
Add these directives to the override file:
[Service] CPUAccounting=yes CPUShares=1024
For systems without cgroups, modify the systemd service unit or init script:
# Edit the systemd service sudo systemctl edit ssh.service [Service] Nice=-15
Or for SysV init systems:
# In /etc/init.d/ssh or equivalent
start() {
nice -n -15 /usr/sbin/sshd $SSHD_OPTS
}
The pam_limit module can adjust priority for SSH sessions:
# Add to /etc/security/limits.conf * hard priority -15 @admin soft priority -10
After implementation, verify with:
# Check process priority ps -eo pid,ni,cmd | grep sshd # Simulate CPU stress and test responsiveness stress-ng --cpu 4 --timeout 5m &
- Negative nice values require root privileges
- Systemd may override manual nice settings - use
systemctl show ssh.serviceto verify - In containerized environments, check host-level constraints
While these techniques improve availability:
- Never set SSH to real-time priority (
-20) as it creates security risks - Combine with rate limiting in
sshd_configto prevent abuse - Monitor for unusual privilege escalation attempts
When managing production systems, maintaining reliable SSH access during high-load scenarios is crucial. System administrators often encounter situations where CPU-intensive processes or denial-of-service attacks make it difficult to establish SSH connections for troubleshooting.
The Unix/Linux nice command and its corresponding system call modify process scheduling priority. Lower nice values indicate higher priority (range typically -20 to 19). By default, most processes including SSH run with nice value 0.
The most reliable approach is to modify the systemd service unit file for SSH:
# Create an override directory if it doesn't exist
sudo mkdir -p /etc/systemd/system/ssh.service.d/
# Create an override file
sudo nano /etc/systemd/system/ssh.service.d/override.conf
Add the following content:
[Service]
Nice=-10
CPUSchedulingPolicy=fifo
CPUSchedulingPriority=50
Then reload and restart SSH:
sudo systemctl daemon-reload
sudo systemctl restart ssh
For systems not using systemd, or when needing user-specific priorities, configure /etc/security/limits.conf:
# Priority for sshd processes
sshd - nice -10
# Priority for specific admin users
adminuser - nice -5
After implementation, verify the settings:
# Check SSHD process priority
ps -eo pid,ni,cmd | grep sshd
# Test under load conditions
stress -c 8 & # Create CPU load
ssh localhost # Should still remain responsive
1. Over-aggressive prioritization (-20) may starve other critical processes
2. SELinux/AppArmor policies may require adjustment
3. Consider combining with cgroups for comprehensive resource control
4. In cloud environments, check provider-specific limitations
For more sophisticated control, create a cgroup for SSH:
sudo cgcreate -g cpu:/ssh_priority
echo 512 > /sys/fs/cgroup/cpu/ssh_priority/cpu.shares
echo $(pidof sshd) > /sys/fs/cgroup/cpu/ssh_priority/tasks