SSH

Monday, June 8, 2026 at 17:10:05

Disallowed SSH password connections on port 22, set another port as an alternate, on larger system.

Here is the info (locked myself out a couple times first)

Cmd: systemctl edit ssh.socket
## This will allow alternate or multiple ports
## to be used with ssh. Each port must be set
## up individually for use with ip4 or ip6 or both.
## Alt. port must be open through firewall.
[Socket]
ListenStream=
ListenStream=0.0.0.0:YOUR_PORT
ListenStream=0.0.0.0:YOUR_ALT_PORT
ListenStream=[::]:YOUR_PORT
ListenStream=[::]:YOUR_ALT_PORT

## Restart stuff
cmd: systemctl daemon-reload
cmd: systemctl restart ssh.socket

## Check stuff
ss -tlnp | grep ssh

——————————–
## Edit file in /etc/ssh/sshd_config.d/*.conf

Port 22
Port 2222

PubkeyAuthentication yes
PasswordAuthentication no

Match LocalPort 2222
PasswordAuthentication yes

## Restart stuff
cmd: systemctl restart ssh
cmd: systemctl daemon-reload
cmd: systemctl restart ssh.socket

——————————–
## Login to specific alternate port using password.

ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password root@systemname -p 2222

So now, at least in theory, most of the login attacks will be thwarted just by only allowing pubkey logins on port 22. I will probably go through the other systems and do the same. At least the other ‘S’ system.

Add comment

Fill out the form below to add your own comments