How SSH port became 22
The default SSH port is 22. It is not a coincidence. This is a story of how it got that port.
When I (Tatu Ylonen first published this story in April 2017, it went viral and got about 120,000 readers in three days.
The story of getting SSH port 22
Anyway, I designed SSH to replace both
telnet (port 23) and
ftp (port 21). Port 22 was free. It was conveniently between the ports for
ftp. I figured having that port number might be one of those small things that would give some aura of credibility. But how could I get that port number? I had never allocated one, but I knew somebody who had allocated a port.
The basic process for port allocation was fairly simple at that time. Internet was smaller and we were in the very early stages of the Internet boom. Port numbers were allocated by IANA (Internet Assigned Numbers Authority). At the time, that meant an esteemed Internet pioneer called Jon Postel and Joyce K. Reynolds. Among other things, Jon had been the editor of such minor protocol standards as IP (RFC 791), ICMP (RFC 792), and TCP (RFC 793). Some of you may have heard of them.
To me Jon felt outright scary, having authored all the main Internet RFCs!
Anyway, just before announcing
ssh-1.0 in July 1995, I sent this e-mail to IANA:
From ylo Mon Jul 10 11:45:48 +0300 1995 From: Tatu Ylonen <firstname.lastname@example.org> To: Internet Assigned Numbers Authority <email@example.com> Subject: request for port number Organization: Helsinki University of Technology, Finland Dear Sir, I have written a program to securely log from one machine into another over an insecure network. It provides major improvements in security and functionality over existing telnet and rlogin protocols and implementations. In particular, it prevents IP, DNS and routing spoofing. My plan is to distribute the software freely on the Internet and to get it into as wide use as possible. I would like to get a registered privileged port number for the software. The number should preferably be in the range 1-255 so that it can be used in the WKS field in name servers. I'll enclose the draft RFC for the protocol below. The software has been in local use for several months, and is ready for publication except for the port number. If the port number assignment can be arranged in time, I'd like to publish the software already this week. I am currently using port number 22 in the beta test. It would be great if this number could be used (it is currently shown as Unassigned in the lists). The service name for the software is "ssh" (for Secure Shell). Yours sincerely, Tatu Ylonen <firstname.lastname@example.org> ... followed by protocol specification for ssh-1.0
The next day, I had an e-mail from Joyce waiting in my mailbox:
Date: Mon, 10 Jul 1995 15:35:33 -0700 From: jkrey@ISI.EDU To: email@example.com Subject: Re: request for port number Cc: iana@ISI.EDU Tatu, We have assigned port number 22 to ssh, with you as the point of contact. Joyce
There we were! SSH port was 22!!!
On July 12, 1995, at 2:32am, I announced a final beta version to my beta testers at Helsinki University of Technology. At 5:23pm I announced ssh-1.0.0 packages to my beta testers. At 5:51pm on July 12, 1995, I sent an announcement about SSH (Secure Shell) to the
firstname.lastname@example.org mailing list. I also posted it to a few newsgroups, mailing lists, and directly to selected people who had discussed related topics on the Internet.
Changing the SSH port in the server
By default, the SSH server still runs in port 22. However, there are occasions when it is run in a different port. Testing use is one reason. Running multiple configurations on the same host is another. Rarely, it may also be run without root privileges, in which case it must be run in a non-privileged port (i.e., port number >= 1024).
The port number can be configured by changing the
Port 22 directive in /etc/ssh/sshd_config. It can also be specified using the
-p <port> option to sshd. The SSH client and sftp programs also support the
-p <port> option.
Specifying SSH port number on the command line
-p <port> option can be used to specify the port number to connect to when using the
ssh command on Linux. The
-P <port> (note: capital P) option can be used with SFTP and
scp. The SSH port number command line setting overrides any value configured in configuration files.
Configuring SSH access through firewalls
SSH is one of the few protocols that are frequently permitted through firewalls. Unrestricted outbound SSH is very common, especially in smaller and more technical organizations. Inbound SSH is usually restricted to one or very few servers.
Configuring outbound SSH in a firewall is very easy. If there are restrictions on outgoing traffic at all, just create a rule that allows TCP port 22 to go out. That is all. If you want to restrict the destination addresses, you can also limit the rule to only permit access to your organization's external servers in the cloud, or to a jump server that guards cloud access.
Back-tunneling is a risk
Unrestricted outbound SSH can, however, be risky. The SSH protocol supports tunneling. The basic idea is that it is possible to have the SSH server on an external server listen to connections from anywhere, forward those back into the organization, and then make a connection to some Internal server.
This can be very convenient in some environments. Developers and system administrators frequently use it to open a tunnel that they can use to gain remote access from their home or from their laptop when they are travelling.
However, it generally violates policy and takes control away from firewall administrators and the security team. It can, for example, violate PCI, HIPAA, or NIST SP 800-53. It can be used by hackers and foreign intelligence agencies to leave backdoors into organizations.
CryptoAuditor is a product that can control tunneling at a firewall or at the entry point to a group of cloud servers. It works together with Universal SSH Key Manager to gain access to host keys and is able to use them to decrypt the SSH sessions at a firewall and block unauthorized forwarding.
Inbound SSH access
For inbound access, there are a few practical alternatives:
- Configure firewall to forward all connections to port 22 to a particular IP address on the internal network or DMZ. Run CryptoAuditor or a jump server at that IP address to control and audit further access into the organization.
- Use different ports on the firewall to access different servers.
- Only allow SSH access after you have logged in using a VPN (Virtual Private Network), typically using the IPsec protocol.
Enabling SSH access via iptables
Iptables is a host firewall built into the Linux kernel. It is typically configured to protect the server by preventing access to any ports that have not been expressly opened.
iptables is enabled on the server, the following commands can be used to permit incoming SSH access. They must be run as root.
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
If you want to save the rules permanently, on some systems that can be done with the command:
service iptables save