Setting up an SSHD failover daemon

Tune your SSH daemon as usual e.g.

cd /etc/ssh/
mv -i sshd_config sshd_config.dist
sed '/^#/d; /^$/d' sshd_config.dist > sshd_config
cat >> sshd_config <<-EOF

Port XXX
Protocol 2
#AddressFamily inet
#ListenAddress x.x.x.x
AllowGroups root
#AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
UsePam no

#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
EOF
vi sshd_config

Deprecated options,

#RSAAuthentication no
#ChallengeResponseAuthentication no

Create a failover config with other PORT and PID,

cp -pi sshd_config sshd_config.failover
vi  sshd_config.failover

Port ALT_PORT
PidFile /var/run/sshd.failover.pid

Open ALT_PORT to listen on the network interface (CentOS7+ example),

firewall-cmd --zone=public --add-port=ALT_PORT/tcp --permanent

Start the daemon,

ls -lhF /var/run/sshd*
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover
ps aux | grep failover
netstat -antupe --inet --inet6 | grep ALT_PORT

and enable it at startup (rc.local still works on CentOS7),

cd /etc/
cp -pi rc.local rc.local.dist
vi rc.local

echo -n starting a failover ssh daemon...
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover && echo done

#no need to make it executable

Resources


Last update: 2018-12-10 | home | html | css