Load balancing SFTP and the security of Linux server management through SSH


I have a situational question regarding HAProxy and the security of the management of the server when using HAProxy to load balance SFTP servers.

With my current setup I’m running 2 ubuntu 20.04 servers. They each have their own IP and a virtual IP that floats back and forth between them with keepalived if there is a failure.

This has worked well. I’m now looking to add an SFTP cluser for HAProxy to load balance. SFTP incoming connections come in through port 22, the same port that remote management is done through ssh with. I would want to allow any IP to connect to the SFTP services but not expose the management of the my servers externally.

This could probably be solved by changing the port SSH uses, but I wanted to ask others and explore what other options there might be to solve this problem.

How have others solved this issue?


Thinking about it some more another way to solve this could be to bind the ssh.service to only the non floating IP for each server. That seems like it might be a good way to go about it.

Still interested in how others have handled this or thoughts.

Thanks again.