How to Prevent Server inaccessibility by using a
secondary SSH Server access port
One of the Debian servers's
SSH daemon suddenly become
inaccessible today. While trying to ssh I experienced the following
error:
$ ssh root@my-server.net -v
OpenSSH_5.8p1 Debian-2, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to mx.soccerfame.com [83.170.104.169] port
22.
debug1: Connection established.
debug1: identity file /home/hipo/.ssh/id_rsa type -1
debug1: identity file /home/hipo/.ssh/id_rsa-cert type -1
debug1: identity file /home/hipo/.ssh/id_dsa type -1
debug1: identity file /home/hipo/.ssh/id_dsa-cert type -1
...
Connection closed by remote host
Interestingly only the SSH server and sometimes the mail server was
failing to respond and therefore any mean to access the server was
lost. Anyways some of the services on the server for example
Nginx continued working just fine.
Some time ago while still working for
design.bg -
web
development company, I've experienced some similar errors with
SSH servers, so I already had a clue, on a way to work around the
issue and to secure myself against the situation to loose access to
remote server because the
secure shell daemon has broken
up.
My work around is actually very simple, I run a secondary
sshd (different sshd instance) listening on a different port
number.
To do so I invoke the sshd daemon on port 2207 like so:
debian:~# /usr/sbin/sshd -p 2207
debian:~#
Besides that to ensure my
sshd -p 2207 will be running on
next boot I add:
/usr/sbin/sshd -p 2207
to
/etc/rc.local (before the script end line
exit 0
). I do set the
sshd -p 2207 to run via
/etc/rc.local
on purpose instead of directly adding a
Port 2207 line in
/etc/ssh/sshd_config. The reason, why I'm not using
/etc/ssh/sshd_config is that I'm not sure if using the sshd
config to set a secondary port does run the port under a different
sshd parent. If using the config doesn't run the separate ssh port
under a different server parent this will mean that once the main
parent hangs, the secondary port will become inaccessible as
well.