[greenie_beans]

This is a noob question, but could you not setup fail2ban to ban bad IPs on both ports, even if you're not using SSH on one? I'm wondering if it's possible to close port 22 and set fail2ban rules to ban any IPs that try to SSH there, while changing your SSH port and also setting up fail2ban on that port, too. Does a closed port work like that?

[ses1984]

You could have the firewall log connection attempts on port 22 and plug that into fail2ban.

[kelnos]

fail2ban works by tailing authentication logs and matching regexes to find failed attempts and the IP address of the source. So if nothing is listening on the port, there won't be anything to spit out logs that fail2ban can read.

You could potentially create a fake daemon that listens on port 22 and just logs every access attempt, and set up fail2ban to block any IP that even opens a connection to the port, regardless of what they try to send over it.

Actually, I think iptables has a LOG target that can log connection attempts even without something listening, so that could work too and be much simpler.

[Legogris]

Just make sure to exclude that port from service checks ;)