What is port 22? Is SSH using 22 or different port? How can I check that port 22 is open? We can increase the questions but in this tutorial, we will dive into details of the TCP Port Number 22 which is the default defacto SSH (Secure Shell) Port.
SSH (Secure Shell)
Secure Shell or with its well-known name SSH is a secure remote access protocol that is created in 1995. Before its invention, Telnet and Ftp were popular protocols for remote access and file transfer. Telnet port was using TCP 23 and FTP was using TCP port 21. Port 22 was free where it was very suitable for the SSH protocol for simplicity and the meaning.
SSH Port Number 22 Story
The SSH protocol is created by the Tatu Ylonen in 1995 and in order to get port number 22 from the Internet Assignment Numbers Authority (IANA), he writes an email about the port request between 1-255. But also added that he is using port number 22 for beta tests and would be great if TCP 22 can be used by the SSH service.
With a fast response, Joyce from IANA returned in next day with a simple confirmation answer like below.
Specify SSH Port Number with SSH Command
ssh command is used to connect remote SSH servers for remote access. By default, it assumes remote SSH service runs on port number 22 but in some situations, it is not. We can explicitly specify the port number we want to connect with the
-p option like below.
$ ssh -p 22 192.168.142.150
Check If Local TCP Port 22 Is Open with Netstat
We can check whether the TCP port 22 is open and listening for the connections. In this example, we will use the
netstat command by providing some options. This will list all listening ports for the local system with their port numbers.
$ netstat -tln
We can also list listening ports according to their service name. Port 22 is SSH service and it will be named as
$ netstat -tl
Check If Local or Remote TCP Port 22 Is Open with Telnet
telnet is a tool used to access remote systems via telnet terminals. Telnet is used with port number 23. But we can also use telnet to check remote or local port status. If the port is open we will see that the port is open. We will provide the IP address of the remote system with the port number.
$ telnet 192.168.142.150 22
Check/Scan If Local or Remote TCP Port 22 Is Open with Nmap
nmap is a network scanning tool where it is used to scan networks, IP addresses, and ports. We will provide the port number in order to make the scan faster.
$ nmap -sV -sC -p 22 192.168.142.150
From the scan output, we can see that the following information about the SSH service and port 22 is provided.
- `SSH Service Software` name is `OpenSSH`
- The version of the SSH service is `7.7p1`
- The operating system running the service is `Ubuntu`.
- SSH host keys like RSA, ECDSA and EdDSA are provided too.
TCP Port 22 or UDP Port 22
Port 22 generally referred to as the TCP port 22. But there is also a transmission protocol named UDP which has different behavior than TCP. SSH needs reliable connection which is provided only by TCP protocol so UDP port 22 is not a popular port.
Change SSH Port In the Server
By default, SSH runs on TCP port 22. But we have the flexibility where we can change the SSH port. The SSH service or service configuration is stored in the
sshd_config file which is located at the
/etc/ssh/sshd_config for the most of the Linux distributions. We will just disable the current port configurations by commenting on it with the
# and add a new line for the
Port configuration with the new port number we want to use. In this case, we will set the SSH port as
In order to make new port configuration effective we have to restart the SSH service which will reload the configuration. We will use
systemctl command like below.
$ systemctl restart ssh
Enable SSH Port 22 For Linux Firewall Iptables
iptables is the standard firewall management tool for most of the Linux distributions. We can accept or block connections to the local SSH port 22 with the iptables command.
We will run the following command in order to accept SSH port 22 connections to the local SSH server. We will provide the
$ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT