# Simple SSH question

## albright

Is it possible to have sshd listen on port 22 for eth0 (internal network)

and some other port on eth1 (internet)? I found a guide to running

two  separate ssh daemons (http://www.kudos.be/multiple_sshd)

but I wonder if that's the only way to do this.

TIA

----------

## Letharion

Try adding several

```
ListenAdress
```

to the config, read

```
man sshd_config
```

for details

----------

## krinn

well, he have done it, so it's possible  :Smile: 

using one ssh at port 22 so you can scp thru your network without specifying your ssh port, easier

and using one ssh at some random port to secure more the ssh access from internet.

this is all base on this point of view, but that's a faulty thinking for me:

1/ you can set rules from one ssh to handle external/internal security access already, if think there's even a way to tell ssh to allow local network to accept pwd and/or keyfile while for example setting only keyfile via internet.

I'm not sure on that part, but i'm sure of that, settings anyone as keyfile will remove the need for password and higher your security while ease your ssh access internally.

2/ settings a random ssh port to access from internet is not a security at all, it just took a few seconds more to find that port for a hacker, you will not be more protected. Some argue it's to prevent script kiddies keep knocking on port 22, maybe, but preventing someone to see the door won't protect you if he see it. Only a locked door will do.

3/ most router can forward port easy, so it will be more easy to put a random internet port open and forward it to your internal port 22, so you'll get the 2 things, the "non-secure" but "not-dangerous to set" random ssh port while keeping your ssh on port 22, and for your network, nothing tricky to change, as your computers will access the server from port 22, no forwarding is need.

So i don't really see why he use 2 sshd on a computer, except to play the "can i do it?" game.

----------

## albright

thanks letharion, that got it (note to self: read man page  :Smile:  )

----------

## bobspencer123

I'm not sure how to do it but I think iptables rules could do this with pre/post routing?

----------

