18th July 2015

Debian: additional SSH port

I am totally sold to the explanations on why putting SSH on any other port than 22 is a bad idea but it is my experience that keeping enabled the port 22 is asking for problems. It can be restricted to explicit IP addresses, etc, but, otherwise, changing the port seems a sound idea. Mind you, it is probably just discarding the unexperienced vector attacks, but even so, unless you are the unique user in that machine and keep a good password policy, a vector attack can eventually score, so disabling the port 22 and moving anywhere else can indeed help.

In Debian Jessie (8.x), it is just needed to link the ssh daemon itself and ensure that the configuration files for the duplicated daemon are in place; the following procedure does not remove the access to port 22, it is your responsibility to disable it or to enhance its security (like limiting inbound IPs, etc). What this procedure does is adding a secondary daemon listening on a secondary port:

ln -sf /usr/sbin/sshd /usr/sbin/ssh2d

cp /etc/pam.d/sshd /etc/pam.d/ssh2d

sed -e s/ssh/ssh2/g /etc/init.d/ssh | sed -e s^etc/ssh2^etc/ssh^g > /etc/init.d/ssh2

cp /etc/default/ssh /etc/default/ssh2

cp /etc/ssh/sshd_config /etc/ssh/ssh2d_config

It is needed now to ensure that the linked daemon (/usr/bin/ssh2d) uses the proper configuration file:

vi /etc/default/ssh2
    # ensure that the line with SSHD_OPTS is extended to contain:
    SSHD_OPTS='-f /etc/ssh/ssh2d_config -o PidFile=/var/run/ssh2d.pid'

Now, change the port in the configuration file /etc/ssh/ssh2d_config:

vi /etc/ssh/ssh2d_config
	# look for line Port 22, and replace it with Port XXXX
	# look, if any, for line including PermitRootLogin and 
	# add it, if not found, or edit it, 
	# to contain PermitRootLogin=no

Time now to enable the new SSH service, listening on a separate port:

systemctl enable ssh2
systemctl start ssh2