Understanding the port number SSH uses is fundamental for anyone managing a server or configuring network security. This specific channel serves as the primary gateway for secure remote administration, allowing administrators to connect to a machine over an unsecured network with confidence. Without this dedicated pathway, modern DevOps practices and cloud infrastructure management would be severely hampered.
The Standard SSH Port Number
By convention, the Internet Assigned Numbers Authority (IANA) has officially assigned port 22 for SSH traffic. This standardization ensures that client software, such as OpenSSH or PuTTY, attempts to connect to this specific endpoint by default when a user initiates a session. Servers listening on this port expect the SSH protocol handshake, which facilitates encryption and authentication before granting shell access.
Historical Context and IANA Registration
The assignment of port 22 to SSH dates back to the early standardization efforts of the IETF. Before this allocation, implementations sometimes used other ephemeral ports, which led to inconsistency. The formal registration under the "ssh" service name solidified the protocol's place in the networking ecosystem, ensuring interoperability between disparate systems and security appliances.
Why Port 22 is the Default
The dominance of port 22 is largely due to its integration into the foundational architecture of operating systems. Linux distributions ship with SSH daemons configured to listen on this port out of the box, and firewalls often have rules that implicitly trust traffic here for administrative purposes. This ubiquity reduces the need for custom configuration in typical deployments.
Security Considerations and Obscurity
While moving away from port 22 is often suggested as a security through obscurity tactic, security professionals generally advise against relying on this alone. Automated bots constantly scan the entire internet for open port 22, but a determined attacker will easily discover the correct port regardless of whether you use 22222 or another number. True security relies on key-based authentication and robust account policies rather than port hiding.
The Trade-off of Changing Ports
Changing the default port can reduce log noise from automated attacks, making system logs cleaner and easier to monitor. However, this change introduces friction for legitimate users who must specify the custom port every time they connect. For automated scripts and CI/CD pipelines, maintaining an alternate port requires additional configuration management that may not be worth the minor reduction in bot traffic.
Practical Configuration and Firewall Rules
Whether you adhere to the standard or implement a custom setup, the configuration happens in the daemon configuration file and the host-based firewall. Administrators must ensure that the `sshd_config` file points to the correct port and that the firewall, such as `ufw` or `iptables`, explicitly allows traffic on that specific number.
