SSH Port

• Read original article here

The default SSH port is 22. It is not a coincidence. This is a story of how it got that port.

When I (Tatu Ylonen first published this story in April 2017, it went viral and got about 120,000 readers in three days.

I wrote the initial version of SSH (Secure Shell) in Spring 1995. It was a time when telnet and FTP were widely used.

Anyway, I designed SSH to replace both (port 23) and (port 21). Port 22 was free. It was conveniently between the ports for and . I figured having that port number might be one of those small things that would give some aura of credibility. But how could I get that port number? I had never allocated one, but I knew somebody who had allocated a port.

The basic process for port allocation was fairly simple at that time. Internet was smaller and we were in the very early stages of the Internet boom. Port numbers were allocated by IANA (Internet Assigned Numbers Authority). At the time, that meant an esteemed Internet pioneer called Jon Postel and Joyce K. Reynolds. Among other things, Jon had been the editor of such minor protocol standards as IP (RFC 791), ICMP (RFC 792), and TCP (RFC 793). Some of you may have heard of them.

To me Jon felt outright scary, having authored all the main Internet RFCs!

Anyway, just before announcing in July 1995, I sent this e-mail to IANA:

The next day, I had an e-mail from Joyce waiting in my mailbox:

There we were! SSH port was 22!!!

On July 12, 1995, at 2:32am, I announced a final beta version to my beta testers at Helsinki University of Technology. At 5:23pm I announced ssh-1.0.0 packages to my beta testers. At 5:51pm on July 12, 1995, I sent an announcement about SSH (Secure Shell) to the mailing list. I also posted it to a few newsgroups, mailing lists, and directly to selected people who had discussed related topics on the Internet.

By default, the SSH server still runs in port 22. However, there are occasions when it is run in a different port. Testing use is one reason. Running multiple configurations on the same host is another. Rarely, it may also be run without root privileges, in which case it must be run in a non-privileged port (i.e., port number >= 1024).

The port number can be configured by changing the directive in /etc/ssh/sshd_config. It can also be specified using the option to sshd. The SSH client and sftp programs also support the option.

The option can be used to specify the port number to connect to when using the command on Linux. The (note: capital P) option can be used with SFTP and . The SSH port number command line setting overrides any value configured in configuration files.

SSH is one of the few protocols that are frequently permitted through firewalls. Unrestricted outbound SSH is very common, especially in smaller and more technical organizations. Inbound SSH is usually restricted to one or very few servers.

Configuring outbound SSH in a firewall is very easy. If there are restrictions on outgoing traffic at all, just create a rule that allows TCP port 22 to go out. That is all. If you want to restrict the destination addresses, you can also limit the rule to only permit access to your organization's external servers in the cloud, or to a jump server that guards cloud access.

Unrestricted outbound SSH can, however, be risky. The SSH protocol supports tunneling. The basic idea is that it is possible to have the SSH server on an external server listen to connections from anywhere, forward those back into the organization, and then make a connection to some Internal server.

This can be very convenient in some environments. Developers and system administrators frequently use it to open a tunnel that they can use to gain remote access from their home or from their laptop when they are travelling.

However, it generally violates policy and takes control away from firewall administrators and the security team. It can, for example, violate PCI, HIPAA, or NIST SP 800-53. It can be used by hackers and foreign intelligence agencies to leave backdoors into organizations

For inbound access, there are a few practical alternatives:

Iptables is a host firewall built into the Linux kernel. It is typically configured to protect the server by preventing access to any ports that have not been expressly opened.

If is enabled on the server, the following commands can be used to permit incoming SSH access. They must be run as root.

If you want to save the rules permanently, on some systems that can be done with the command: