Dual-Port SSH Configuration: Securing Admin (Port 22) and User Access (Port 26) with IP Restrictions and Root Login Control


35 views

Configuring SSH to listen on multiple ports allows granular control over access permissions. In this scenario, we'll use:

  • Port 22 for admin access (restricted to internal IPs)
  • Port 26 for regular user access (with root login disabled)

Edit /etc/ssh/sshd_config with these key directives:

# Listen on multiple ports
Port 22
Port 26

# Port-specific configurations
Match LocalPort 22
    PermitRootLogin yes
    X11Forwarding no
    AllowUsers admin@internal_network

Match LocalPort 26
    PermitRootLogin no
    PasswordAuthentication yes
    AllowGroups ssh-users

For internal-only access to port 22:

# Allow internal network to port 22
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

# Block external access to port 22
iptables -A INPUT -p tcp --dport 22 -j DROP

# Allow public access to port 26
iptables -A INPUT -p tcp --dport 26 -j ACCEPT

For more granular control, consider these additional settings:

Match LocalPort 26
    AuthenticationMethods publickey,keyboard-interactive
    MaxAuthTries 3
    LoginGraceTime 1m
    ClientAliveInterval 300

After making changes:

  1. Test configuration: sshd -t
  2. Reload SSH: systemctl reload sshd
  3. Verify listening ports: ss -tulnp | grep sshd

For maximum isolation, consider running separate sshd instances:

# Create custom config for port 26
cp /etc/ssh/sshd_config /etc/ssh/sshd_port26_config

# Modify the new config
sed -i 's/^Port 22/Port 26/' /etc/ssh/sshd_port26_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_port26_config

# Create a systemd service override
systemctl edit sshd@port26.service

Add the following to the override:

[Service]
ExecStart=
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_port26_config

When setting up SSH servers for different access levels, we often need to:

  • Maintain standard port 22 for privileged admin access
  • Configure alternative ports (like 26) for regular user access
  • Implement security restrictions based on port numbers

First, edit your SSH server configuration:

sudo nano /etc/ssh/sshd_config

Add these configurations:

# Standard admin port
Port 22
# Additional user port
Port 26

We'll use the Match directive to apply different rules per port:

# Port 22 restrictions (admin access)
Match LocalPort 22
    PermitRootLogin yes
    AllowUsers admin1 admin2
    PasswordAuthentication no
    AuthenticationMethods publickey

# Port 26 restrictions (user access)
Match LocalPort 26
    PermitRootLogin no
    AllowUsers user1 user2 user3
    PasswordAuthentication yes

Combine with iptables for network-level restrictions:

# Allow internal network (192.168.1.0/24) to port 22
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

# Block all other access to port 22
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

# Save iptables rules
sudo iptables-save > /etc/iptables/rules.v4

After making changes, test your configuration:

# Restart SSH service
sudo systemctl restart sshd

# Test admin access (from internal IP)
ssh -p 22 admin1@yourserver

# Test user access
ssh -p 26 user1@yourserver

# Verify root login is blocked on port 26
ssh -p 26 root@yourserver

If you encounter problems:

  1. Check SSH logs: journalctl -u sshd -f
  2. Verify iptables rules: iptables -L -n -v
  3. Test network connectivity: telnet yourserver 26

For enhanced security:

  • Implement fail2ban for both ports
  • Consider port knocking for the admin port
  • Regularly audit access logs
  • Rotate SSH keys periodically