# SSH: Limit root access to a certain port



## dordal (Mar 17, 2009)

Wondering if sshd has any kind of virtualhost like functionality. What I'd like to do is PermitRootLogin on some non-standard port, but then disallow it on 22 (while still allowing normal users to login on 22)

Looked at the docs, doesn't look like this is possible without running two copies of sshd. But figured I'd ask just in case I missed something...


----------



## DutchDaemon (Mar 17, 2009)

Nope, you'll have to run a second instance of sshd with its own config file.


----------



## anomie (Mar 17, 2009)

Alternatively, restrict root access to sshd (i.e. a single instance of it) in different ways. 

See the DenyUsers, AllowUsers, DenyGroups, and AllowGroups directives in sshd_config(5). Also see PATTERNS in ssh_config(5). I've used the form user@host in sshd_config to limit access for certain high-value users.


----------



## gilinko (Mar 18, 2009)

Keep in mind that under freebsd, you are only allowed to use su IF you are in the wheel group(in linux everybody is allowed to use the su command). So I would suggest that rather than opening a port to be probed for the root password(even if it's non standard port), keep the ssh daemon denying direct root access and allow your user(or a secondary non root user) to use su(ie be a member of wheel).


----------



## DutchDaemon (Mar 18, 2009)

Or use SSH keys only to prevent brute-force / dictionary attacks on your root password.


----------

