I fell for this one myself, so I present it here as a cautionary tale.
I've been running Linux servers for 30 years or so, and have a muscle memory associated with changing sshd ports. Edit sshd_config to change Port=123 , update firewall to allow port 123, restart ssh, test config from another box to port 123, done.
Imagine my horror when that didn't work any more. On occasion, having done this hundreds or thousands of times, I might skip the 'test from another box' stage, but I did so this time and was unable to connect.
After a lot of searching, I found the culprit was systemd, or rather Ubuntu's decision to move control of the sshd process to there, so that edits to /etc/ssh/sshd_config were ignored. So when you search for things these days on the internet, you get some AI busting in telling you how to fix it. In this case it was Google Gemini, who confidently told me:
To change the port or address while keeping socket activation, you must modify the
sshd.socketunit's configuration. The best practice is to create a "drop-in" file to override the default settings without directly editing the main unit file.
- Create a directory:
sudo mkdir -p /etc/systemd/system/ssh.socket.d- Create a new drop-in file:
sudo nano /etc/systemd/system/ssh.socket.d/listen.conf- Add the following content, replacing
1234with your desired port. The emptyListenStream=line is crucial as it clears the default port22.[Socket] ListenStream= ListenStream=1234- Reload the systemd daemon:
sudo systemctl daemon-reload- Restart the socket:
sudo systemctl restart ssh.socket- Update your firewall rules to allow the new port.
Well the only trouble is, that didn't work. It left my system's sshd listening on ipv6 ONLY. And although the server had ipv6, my connection did not.
Luckily I was able to access the server via the host's console and fix it, but this is a massive gotcha for those VM hosts that don't facilitate that.
So how to fix it, really Google? Well, if you want to stick with ssh.socket:
sudo systemctl edit ssh.socket
# Add
[Socket]
ListenStream=
ListenStream=0.0.0.0:123
ListenStream=[::]:123
# Restart
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
# Verify that sshd is now listening on your new port for both IPv4 and IPv6:
sudo ss -tulpn | grep 123OR, if you want to go back to the way things were, so you don't get confused ….
# Disable and stop the socket unit:
sudo systemctl disable --now ssh.socket
#Enable and start the service unit:
sudo systemctl enable --now ssh.serviceNow you can edit /etc/ssh/sshd_config and simply run sudo systemctl restart ssh.service for changes to take effect.
The crazy thing is, if you tell Google that their Recommended method doesn't work, it cheerfully acknowledges it and tells you the correct way to do it.
Be careful out there with AI.