> how do you configure it, in order to not make it a DOS vector?
You use it in conjunction with a third parameter that I forgot to mention, namely MaxStartups.
MaxStartups introduces a degree of randomness to the whole process, so you have MaxStartups X:Y:Z where:
- X = Reference number of unauthenticated connections ("n")
- Y = Percentage probability of dropping when n>X
- Z = n=Z == all further unauthenticated connections dropped
Additional parameter that may be of interest is LoginGraceTime.
Fun fact, MaxStartups/PerSourceMaxStartups/PerSourceNetBlockSize were specifically introduced >6.1 in order to add firepower to combatting unauthenticated connection DoS attacks.
With regards to
how do you configure it, in order to not make it a DOS vector?