* Patrick (p_rynhart@hotmail.com) [051127 01:06]: > Thanks Steve. I've just tested your solution and it's working fine. I > invoked a second instance of sshd using a different configuration file, > i.e. > > ssh -f /etc/ssh/sshd_conf-internal > > which binds to port 22 all allows all users to login. The (original) > file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public > internet - but restricts access based on AllowGroup. The server has a > single NIC - but, as you say, it's no problem using different ports. If you want, you can direct incoming traffic from the external interface for tcp/22 to your daemon listening on 1022 with something like iptables -t nat -A PREROUTING -i eth0 -p tcp --d 1.2.3.4 --dport 22 \ -j REDIRECT --to-ports 1022 Many people recommend not listening on port 22 for public interfaces though, and to instruct your users to use an alternate port (to avoid annoying dictionary attacks cluttering your logs). Personally I don't prefer to hide like that. You're probably better off restricting access to specific hosts (if feasible) and requiring key-based authentication. good times, Vineet -- http://www.doorstop.net/ -- "Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." -- Albert Einstein
Attachment:
signature.asc
Description: Digital signature