Running an SSH Server on Multiple Ports

There are a lot of reasons you could need to run sshd (the ssh server) on a port other than the standard port 22. These days the Internet is pretty convoluted. Sometimes you have too many hack attempts on port 22, sometimes you're trying to work through a restrictive or oppressive proxy/firewall. I moved my sshd to a high port number on one server for the first reason.

It's pretty easy to do on your Linux box. These instructions are tested on OpenSuse 10.1 but they should work equally well on any Linux. On the machine that's running sshd, the ssh server, edit /etc/ssh/sshd_config. In it you'll see one directive on each line. Here's a snippet:

#AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes

In these lines, the ones that start with a # don't do anything - they're comments for your reference. Often sshd_config has default values for many of the most common options included with a # in front of them. So you might have a line like

#Port 22

With the # it doesn't do anything. Since 22 is the default value for Port, sshd will behave the same if you have no Port directive at all or if you have this comment.

The lines that have no # in front of them are directives. They tell sshd what you want it to do for any given option. So a line like

Port 22

Tells sshd to listen for connections on Port 22. The ssh server accepts multiple Port directives and will listen on multiple ports if you want it to. If you want to have sshd listen on ports 22, 80 and 8122 you need lines like this

Port 22
Port 80
Port 32022

Note that Port 80 is normally used by web servers - it's said to be a Well Known Port Number. Using Port 80 for ssh will let you use ssh to connect through most firewalls and proxies. If you decide to do this then make sure that you don't also have a web server trying to use port 80 for incoming connections. Port 32022 isn't reserved for anything (as far as I know) but a random hacker wouldn't connect to it as their first try for an ssh connection. Port numbers go up to sixty-something thousand.

After you edit sshd_config and save it, you have to restart the ssh server in order for your changes to take effect. If you're making the changes while logged in on an ssh shell (i.e. somewhere other than in front of the computer running sshd) be aware that you may lose your connection when you restart (you should also to the end of this post before restarting). I restart sshd like this:

ruby:/etc/ssh # /etc/init.d/sshd restart
Shutting down SSH daemon                                              done
Starting SSH daemon                                                   done

Once you've made the change and restarted, test your new configuration either from the console or another machine on your LAN. Supposing you used port 32022 you could test it locally like this:

rob3@ruby:~> ssh -p 32022 localhost

If you get a password prompt or a new shell then things are working, type "exit" to exit your ssh session. If you get an error like ssh: connect to host localhost port 32022: Connection refused then sshd isn't listening on the port you configured. It could be that some other process is using the port (perhaps your firewall), it could be that you didn't change /etc/ssh/sshd_config correctly or it could be that sshd never restarted. To troubleshoot this, look at your logs. When you restart, several messages are written to /var/log/messages, look at the latest ones like this

ruby:/home/rob3 # tail -n 30 /var/log/messages

In response to this you'll get the last 30 lines of the log file. In there you should see several lines with timestamps that mention sshd. You want to see something indicating that the server is listening on your new port number. Otherwise you should look for indications of an error that help you furthur troubleshoot the problem.

If you have a router between your Linux box and your Internet connection then you're going to need to set up port forwarding from a port on the router to the port you've configured on your Linux box. The external port (on the router) is the one that you'll have to type in to connect when you're away from home, so it's best to just set it to the same value as you use internally. That is, forward external port 22, 80, and/or 32022 to port 22, 80 and/or 32022 respectively. Be warned that exposing port 22 to the world with a weak root password is a good way to guarantee your box will get hacked.

Once you can connect to your Linux box from itself or somewhere else on your own network and you have your router configured, it's time to try connecting from outside. You don't actually have to go anywhere to do this. You can test it from your Linux box using your external IP. The site checkip.dyndns.org that will quickly show you what your external IP is. Once you get that address, use the ssh client from your Linux box to connect. It's the same command as earlier (ssh -p 32022 localhost) but use your external IP address instead of localhost. The difference here is that the route used to connect mimics the route you'd use to connect from elsewhere. If you can't connect with the external IP but can connect to localhost then this indicates a problem with your routing, most likely a port forwarding issue in your router.

So there it is in a nutshell. Now you can go on to run an ssh client on some machine far away and connect to your Linux box at home. Don't forget you'll need to use your external IP and specify your non-standard port number when connecting. If you haven't already got an ssh client, both PuTTY and OpenSSH do a great job, though I think PuTTY might be easier for a beginning user on Windows.

3.02242
Your rating: None Average: 3 (223 votes)

I found that editing /etc/sysconfig/ssh and adding "-p 32022" also worked (once the sshd was restarted as you mention above).

S'good, but I think /etc/sysconfig/ssh isn't always there (not sure why - I looked in a couple of my old installs tho).

Apparently in Ubuntu, to restart sshd, the ssh server, you use

sudo /etc/init.d/ssh restart

or
service ssh restart

Took me a while to get, since I want to restart sshd, not ssh.