[gradschool]

This might not matter for your setup, but I would have thought it's bad in general to have sshd listening on a high port because then any non-root user who finds a way to crash it can replace it with his own malicious ssh server on the same port.

[usr1106]

You mean non-root local user? We don't have non-trusted users on the system.

Well, unless the http server or our dns resolver has a remote code execution vulnerability.

So directly I don't see the risk you describe. Of course considering maximum defense in depth you might have point.

[20after4]

That's a good point, though you could use some firewall rules to rewrite the port number so that the local daemon is listening on the normal port but accessible via an alternate high numbered port.