====== Ubuntu - SSH - Configuring sshd ======

First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:"

<code bash>
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
</code>

----

===== Disable logins for the **root** user, only allow login for the core user and disable password based authentication. =====

permissions: 0600
owner: root:root

<file bash /etc/ssh/sshd_config>
# Use most defaults for sshd configuration.
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp

PermitRootLogin no
AllowUsers core
PasswordAuthentication no
ChallengeResponseAuthentication no
</file>

----

===== Changing the sshd port =====

With socket-activated SSH by default. The configuration for this can be found at **/usr/lib/systemd/system/sshd.socket**. 

<file bash /usr/lib/systemd/system/sshd.socket>
[Socket]
ListenStream=2222
FreeBind=true
Accept=yes
</file>

**sshd** will now listen only on port 2222 on all interfaces when the system is built.


Multiple ListenStream lines can be specified, in which case sshd will listen on all the specified sockets:

<file bash /usr/lib/systemd/system/sshd.socket>
[Socket]
ListenStream=2222
ListenStream=10.20.30.40:2223
FreeBind=true
</file>

**sshd** will now listen to port 2222 on all configured addresses, and port 2223 on 10.20.30.40.


The complete contents of **/etc/systemd/system/sshd.socket** would now be:

<file bash /etc/systemd/system/sshd.socket>
[Unit]
Description=OpenSSH Server Socket
Conflicts=sshd.service

[Socket]
ListenStream=2222
ListenStream=10.20.30.40:2223
FreeBind=true
Accept=yes

[Install]
WantedBy=sockets.target
</file>

----

===== Activating changes =====

After the edited file is written to disk, you can activate it without rebooting with:

<code bash>
sudo systemctl daemon-reload
</code>

We now see that systemd is listening on the new sockets:

<code bash>
systemctl status sshd.socket
</code>

Returns

<code>
● sshd.socket - OpenSSH Server Socket
   Loaded: loaded (/etc/systemd/system/sshd.socket; disabled; vendor preset: disabled)
   Active: active (listening) since Wed 2015-10-14 21:04:31 UTC; 2min 45s ago
   Listen: [::]:2222 (Stream)
           10.20.30.40:2223 (Stream)
 Accepted: 1; Connected: 0
...
</code>

And if we attempt to connect to port 22 on our public IP, the connection is rejected, but port 2222 works:

<code bash>
ssh core@[public IP]
ssh: connect to host [public IP] port 22: Connection refused
$ ssh -p 2222 core@[public IP]
Enter passphrase for key '/home/user/.ssh/id_rsa':
</code>