SSH (Secure Shell) uses TCP port 22 by default. This single port number handles everything SSH does — remote login, command execution, file transfer (SFTP/SCP), port forwarding, and tunneling.
Port 22 is one of the most targeted ports on the internet. Automated bots scan it constantly looking for weak passwords. Understanding how port 22 works, how to change it, how to secure it, and how to troubleshoot connection problems is essential for anyone who manages servers, network devices, or industrial systems.
This guide covers the SSH port number from the IANA registration to practical firewall rules and sshd_config examples.
In This Guide
1. What Is SSH Port 22
TCP port 22 is the default port assigned to the SSH protocol. When you type ssh user@server, your SSH client connects to port 22 on the server unless you specify a different port.
SSH replaced older insecure protocols like Telnet (port 23) and rlogin (port 513) that transmitted passwords and commands in plain text. SSH encrypts everything — authentication, commands, and data — from the first packet.
2. IANA Registration Details
| Field | Value |
|---|---|
| Service Name | ssh |
| Port Number | 22 |
| Transport Protocol | TCP (also registered for UDP, but rarely used) |
| Description | The Secure Shell (SSH) Protocol |
| Assignee | Tatu Ylonen (original SSH developer) |
| Registration Date | 1995 |
| Reference | RFC 4251, RFC 4252, RFC 4253, RFC 4254 |
Port 22 was assigned by IANA in 1995 when Tatu Ylonen developed the first SSH implementation at Helsinki University of Technology. It has remained the standard ever since.
3. How SSH Uses Port 22
SSH is a client-server protocol:
| Role | Port Behavior |
|---|---|
| SSH Server (sshd) | Listens on TCP port 22, waits for incoming connections |
| SSH Client (ssh, PuTTY) | Connects from a random ephemeral port (e.g., 49152–65535) to the server’s port 22 |
The server always listens. The client always initiates the connection.
4. SSH Connection Sequence
| Step | Direction | What Happens |
|---|---|---|
| 1 | Client → Server | TCP SYN to port 22 |
| 2 | Server → Client | TCP SYN-ACK |
| 3 | Client → Server | TCP ACK — TCP connection established |
| 4 | Server → Client | SSH version string (e.g., SSH-2.0-OpenSSH_9.6) |
| 5 | Client → Server | SSH version string |
| 6 | Both | Key exchange — agree on encryption algorithms, exchange keys (Diffie-Hellman) |
| 7 | Both | Server authentication — client verifies server’s host key |
| 8 | Client → Server | User authentication — password, public key, or certificate |
| 9 | Both | Encrypted session established — all subsequent data is encrypted |
After step 9, all traffic on port 22 is encrypted. An attacker capturing packets sees only encrypted bytes.
5. What Runs on Port 22: SSH Services
SSH port 22 carries multiple services over the same encrypted channel:
| Service | What It Does | Command Example |
|---|---|---|
| Remote shell | Interactive command-line access | ssh user@server |
| Remote command | Execute a single command | ssh user@server "uptime" |
| SFTP | Secure file transfer (FTP replacement) | sftp user@server |
| SCP | Secure file copy | scp file.txt user@server:/tmp/ |
| Local port forward | Tunnel a local port to a remote service | ssh -L 8080:localhost:80 user@server |
| Remote port forward | Expose a local service through the server | ssh -R 9090:localhost:22 user@server |
| Dynamic SOCKS proxy | Use the server as a proxy | ssh -D 1080 user@server |
| X11 forwarding | Forward graphical applications | ssh -X user@server |
All of these use the same port 22. No additional ports need to be opened.
6. How to Check if SSH Is Listening on Port 22
Linux
bash
# Check if sshd is listening
ss -tlnp | grep :22
# Expected output:
# LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
# Alternative:
netstat -tlnp | grep :22Windows (OpenSSH Server)
powershell
netstat -an | findstr :22Check from a Remote Machine
bash
# Test if port 22 is open
nc -zv 192.168.1.100 22
# Or using telnet
telnet 192.168.1.100 22
# Or using PowerShell
Test-NetConnection -ComputerName 192.168.1.100 -Port 227. How to Change the SSH Port Number
Changing the SSH port reduces automated scanning attacks. It does not replace proper security but significantly reduces log noise.
Step 1. Edit sshd_config
bash
sudo nano /etc/ssh/sshd_configFind the line:
#Port 22Change it to (example: port 2222):
Port 2222Step 2. Allow the New Port in the Firewall
bash
# UFW (Ubuntu)
sudo ufw allow 2222/tcp
# firewalld (RHEL/CentOS)
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
# iptables
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPTStep 3. If Using SELinux (RHEL/CentOS)
bash
sudo semanage port -a -t ssh_port_t -p tcp 2222Step 4. Restart SSH
bash
sudo systemctl restart sshdStep 5. Connect Using the New Port
bash
ssh -p 2222 user@server⚠️ Important: Do not close your current SSH session until you have verified the new port works. Open a second terminal and test the new port first. If the new port does not work, you can still fix it from the original session.
8. Firewall Rules for SSH Port 22
Linux iptables
bash
# Allow SSH from a specific IP
iptables -A INPUT -p tcp -s 192.168.1.10 --dport 22 -j ACCEPT
# Block SSH from all other IPs
iptables -A INPUT -p tcp --dport 22 -j DROPUbuntu UFW
bash
# Allow SSH
sudo ufw allow 22/tcp
# Allow SSH only from a specific subnet
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcpWindows Firewall (PowerShell)
powershell
# Allow inbound SSH
New-NetFirewallRule -DisplayName "SSH" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow
# Allow SSH only from a specific IP
New-NetFirewallRule -DisplayName "SSH Restricted" -Direction Inbound -Protocol TCP -LocalPort 22 -RemoteAddress 192.168.1.10 -Action AllowCisco IOS ACL
access-list 101 permit tcp host 192.168.1.10 any eq 22
access-list 101 deny tcp any any eq 229. How to Test SSH Port Connectivity
| Command | OS | What It Does |
|---|---|---|
ssh -v user@server | Linux/macOS | Verbose mode — shows connection details and errors |
ssh -p 2222 user@server | Linux/macOS | Connect on a non-default port |
nc -zv server 22 | Linux | Test if port 22 is open (no login) |
telnet server 22 | Any | Shows SSH version banner if port is open |
Test-NetConnection server -Port 22 | Windows PowerShell | Test TCP connectivity |
nmap -p 22 server | Linux | Scan port 22 and identify the SSH service |
ssh -o ConnectTimeout=5 user@server | Linux/macOS | Set a 5-second connection timeout |
What the Results Mean
| Result | Meaning | Fix |
|---|---|---|
SSH-2.0-OpenSSH_9.6 banner appears | Port 22 is open and SSH is running | OK |
| Connection refused | Port is not open — SSH service not running | Start sshd: sudo systemctl start sshd |
| Connection timed out | Firewall is blocking port 22 | Check firewall rules |
| Host unreachable | Network path is broken | Check IP address, routing, and cables |
| No route to host | Server is down or on a different subnet | Verify network configuration |
10. SSH Port Forwarding and Tunneling
SSH can forward other protocols through port 22, creating encrypted tunnels.
Local Port Forwarding
Access a remote service (e.g., a database on port 3306) through an encrypted SSH tunnel:
bash
ssh -L 3306:localhost:3306 user@serverNow connect to localhost:3306 on your machine — the traffic is tunneled through SSH to the server’s port 3306.
Remote Port Forwarding
Expose a local service through the remote server:
bash
ssh -R 8080:localhost:80 user@serverNow anyone connecting to server:8080 is tunneled to your local machine’s port 80.
SCADA Use Case
SSH tunneling is commonly used to secure Modbus TCP (port 502), IEC 104 (port 2404), and OPC UA (port 4840) traffic over untrusted networks — without modifying the SCADA application.
bash
# Tunnel Modbus TCP through SSH
ssh -L 502:192.168.1.100:502 user@gatewayYour SCADA master connects to localhost:502. SSH forwards the traffic to the remote RTU at 192.168.1.100:502 through an encrypted tunnel.
11. SFTP and SCP Port Numbers
Both SFTP and SCP use the same port as SSH — port 22. They do not use separate ports.
| Protocol | Port | Based On |
|---|---|---|
| SSH | 22 | SSH |
| SFTP | 22 (same as SSH) | SSH subsystem |
| SCP | 22 (same as SSH) | SSH |
| FTP | 21 (control), 20 (data) | TCP (unencrypted) |
| FTPS | 990 (control), 989 (data) | FTP over TLS |
SFTP is not FTP over SSH. It is a completely different protocol that runs as an SSH subsystem on port 22. No additional ports need to be opened for SFTP.
12. Common SSH Port Problems and Fixes
| Problem | Symptom | Fix |
|---|---|---|
| SSH service not running | Connection refused | sudo systemctl start sshd |
| Firewall blocking port 22 | Connection timeout | Add firewall rule: ufw allow 22/tcp |
| Wrong port configured | Connection refused on port 22 | Check /etc/ssh/sshd_config for the Port setting |
| SSH listening on wrong interface | Can connect locally but not remotely | Check ListenAddress in sshd_config |
| SELinux blocking non-standard port | Permission denied after port change | semanage port -a -t ssh_port_t -p tcp <port> |
| Host key changed | “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED” | Server was reinstalled. Remove old key: ssh-keygen -R server |
| Too many failed attempts | Connection blocked | Check fail2ban or SSH rate limiting. Wait or whitelist your IP. |
| Password authentication disabled | Permission denied (password) | Use SSH key authentication or enable PasswordAuthentication yes in sshd_config |
| Port 22 exposed to internet | Brute force attacks in logs | Restrict access by IP. Use key-only auth. Consider changing port. |
13. Security Best Practices for SSH Port 22
Do
- Use SSH key authentication instead of passwords — keys are immune to brute force
- Disable root login — set
PermitRootLogin noin sshd_config - Restrict access by IP — firewall rules should allow only trusted networks
- Use fail2ban or similar tools to block repeated failed login attempts
- Keep SSH software updated — OpenSSH patches are critical
- Use SSH certificates for large environments (instead of managing individual keys)
- Log all SSH sessions — enable logging in sshd_config and monitor with SIEM
Do Not
- Expose port 22 to the internet without IP restrictions
- Use password authentication on internet-facing servers
- Allow root login directly via SSH
- Use SSH protocol version 1 (deprecated and insecure)
- Ignore host key warnings — they can indicate a man-in-the-middle attack
For SCADA/OT Environments
- Place SSH jump servers in a DMZ between IT and OT networks
- Use multi-factor authentication (MFA) for SSH access to industrial systems
- Restrict SSH access to read-only commands where possible (use
ForceCommandin sshd_config) - Disable SSH on field devices that do not need remote access
- Monitor SSH sessions with OT-specific security tools (Claroty, Nozomi, Dragos)
Summary
SSH uses TCP port 22 by default. This one port handles remote login, command execution, SFTP file transfer, SCP, and port forwarding — all encrypted.
The key things to remember:
- Port 22 is IANA registered to SSH since 1995
- The server listens on port 22. The client connects to port 22.
- SFTP and SCP also use port 22 — no additional ports needed
- To change the port: edit
/etc/ssh/sshd_config, update firewall rules, restart sshd - To test connectivity: use
ssh -v,nc -zv, orTest-NetConnection - Never expose port 22 to the internet without IP restrictions and key-only authentication
- SSH tunneling can secure SCADA protocols (Modbus, IEC 104, OPC UA) over untrusted networks