The MaxSessions directive (in my opinion), is a good thing to use for security purposes, and I rarely set it above 1. The reason? If userx has a workstation at 10.11.12.13, they can then open ONE SSH window. If someone else spoofs the address, they get rejected. The downside is, if userx has to have multiple windows open...your mileage may vary.
The MaxStartups directive should be looked at too. From the SSHD_CONFIG man page:
Originally Posted by SSHD Man Page
Specifies the maximum number of concurrent unauthenticated con-
nections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
So, if you have 100 users, you can (theoretically), set this to be 100. That does not take into account any SFTP/SCP connections (which also use SSH), nor if someone has two or more open terminal windows. Alternatively, you can also use iptables to limit connections to a particular port:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --hitcount 10 -j DROP
Modify as needed, changing port/interface. This will only allow 10 connections to the SSH port on 22.