SSH resets to default port on reboot
I changed my default SSH port on my home server (in the /etc/ssh/sshd_config file) to port 54747, then restarted the ssh and sshd services (never sure which one so I did both just to be safe). To test my configuration, I logged out and then back in without any problem.
A couple days later, I installed apt updates, and then rebooted my server. When I tried to SSH back in (on port 54747), I got a connection refused error.
For some reason, I tried to SSH on default port, and it worked ! I went back to check on the sshd_config, but it still had the custom port. So I restarted the sshand sshdservices, and it got back to "regular" behaviour (ssh on port 54747). I tried rebooting again, and connection refused again...
Anyone knows what I did wrong ?
Extra details :
- Ubuntu 16.04.2 LTS
- Server is also used a HTPC, with an open session (same user as SSH) on my TV
- I SSH using my laptop's RSA key, and have disabled password auth
- I used to reboot with
sudo reboot -h now, but after searching, I discovered it was discouraged by some people, so I triedsudo reboot, but no differences
EDIT Sequence of events :
- Change SSH port from 22 to 54747 in
/etc/ssh/sshd_config - Restart ssh and sshd services
- End current SSH session
- SSH back in successfully on port 54747
- Reboot
- SSH connection error on port 54747, but successful on port 22
- Restart ssh and sshd services
- SSH back in successfully on port 54747, connection error on port 22
- Reboot and go back to 6
EDIT 1 : netstat output
rgo@ATLAS:~$ sudo netstat -lntp | grep :54747
rgo@ATLAS:~$ sudo netstat -lntp | grep :22
tcp6 0 0 :::22 :::* LISTEN 1/init
EDIT 2 : service sshd status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: inactive (dead)
EDIT 3 : lsof -i | grep ssh
systemd 1 root 46u IPv6 42724 0t0 TCP ATLAS:ssh->192.168.1.27:49837 (ESTABLISHED)
systemd 1 root 49u IPv6 14641 0t0 TCP *:ssh (LISTEN)
sshd 4088 root 3u IPv6 42724 0t0 TCP ATLAS:ssh->192.168.1.27:49837 (ESTABLISHED)
sshd 4088 root 4u IPv6 42724 0t0 TCP ATLAS:ssh->192.168.1.27:49837 (ESTABLISHED)
sshd 4202 rgo 3u IPv6 42724 0t0 TCP ATLAS:ssh->192.168.1.27:49837 (ESTABLISHED)
sshd 4202 rgo 4u IPv6 42724 0t0 TCP ATLAS:ssh->192.168.1.27:49837 (ESTABLISHED)
For reference, ATLAS is the remote server hostname, 192.168.1.27 is my laptop's LAN IP, and command was executed between steps 6 and 7
ufw status
Status: inactive
EDIT 4 : ps -ef |grep sshd
root 4088 1 0 22:40 ? 00:00:00 sshd: rgo [priv]
rgo 4202 4088 0 22:40 ? 00:00:00 sshd: rgo@pts/1 sshd
Solution 1:
ssh may be "socket activated" by systemd depending on configuration, which means that initially it is systemd that sets up the listening port, and sshd is only started when a client first connects. This is to speed up startup time: service daemons are only started on demand.
However this means that you must also configure systemd to the matching port. You'll find the system configuration in /lib/systemd/system/ssh.socket which lists ListenStream=22. To override this, create a file /etc/systemd/system/ssh.socket.d/port.conf (creating the directory ssh.socket.d if needed) that contains:
[Socket]
ListenStream=
ListenStream=54747
Change the number to the port desired. The first blank entry erases the previous default, and the subsequent entry adds the new one. This overrides the default shipped in /lib/systemd/system/ssh.socket and must be done in addition to changing /etc/ssh/sshd_config.
Then run sudo systemctl daemon-reload to tell systemd about your changes, and sudo systemctl reload ssh if your ssh daemon was previously running.