TCP Remote Access

Port 22 (SSH)

Learn about port 22 (SSH) - security risks, vulnerabilities, and common uses. Find devices with port 22 open.

Quick Info

Port Number

Protocol

TCP

Service

SSH

IANA Name

SSH

Service Description

Port 22, utilizing the TCP protocol, is the standard port for the Secure Shell (SSH) protocol. SSH provides a secure, encrypted channel for remote administration, file transfer, and tunneling other applications. It replaced older, insecure protocols like Telnet, rlogin, and rsh, which transmitted data in plaintext, making them vulnerable to eavesdropping and credential theft. SSH operates on a client-server model. The SSH client initiates a connection to the SSH server running on port 22. The connection is then secured using cryptographic algorithms for authentication, encryption, and integrity protection. Common algorithms used include symmetric encryption (e.g., AES, ChaCha20), asymmetric encryption (e.g., RSA, DSA, ECDSA, Ed25519) for key exchange and authentication, and hash functions (e.g., SHA-256) for integrity verification. The protocol supports multiple authentication methods, including password-based authentication, public key authentication, and Kerberos-based authentication. Public key authentication, where the client presents a digital signature created using a private key to prove its identity to the server, is generally considered more secure than password authentication.

## Firewall Recommendations

Access to port 22 should be strictly controlled and limited to only authorized hosts. Where possible, use public key authentication and disable password authentication. Consider implementing rate limiting to mitigate brute-force attacks. If SSH access is not required from the public internet, restrict access to a specific set of internal IP addresses or use a VPN. Regularly update SSH server software to patch known vulnerabilities. Monitoring SSH logs for suspicious activity, such as failed login attempts or unusual connection patterns, is essential for detecting and responding to potential security breaches. Port knocking or port obfuscation techniques can add an extra layer of security, but should not be relied upon as the sole security measure. When possible, consider changing the default port number from 22 to a higher, less common port to reduce the number of automated scanning attempts.

Security Information

Port 22, due to its role in remote administration, is a frequent target for attackers. Brute-force attacks attempting to guess passwords are common. Vulnerabilities in SSH server software can be exploited to gain unauthorized access to the system. Weak or default SSH configurations, such as allowing password authentication when public key authentication is preferred, can significantly increase the risk of compromise. Additionally, vulnerabilities in cryptographic libraries used by SSH implementations can expose systems to man-in-the-middle attacks or other forms of exploitation. Attackers may also target SSH to gain initial access to a network, then use lateral movement techniques to compromise other systems.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2016-0777	OpenSSH Roaming Vulnerability	Medium	OpenSSH before 6.9 does not properly disable roaming, which allows man-in-the-middle attackers to bypass intended access restrictions by intercepting the connection.
CVE-2018-15473	OpenSSH User Enumeration Vulnerability	Low	An exploitable information disclosure vulnerability exists in the OpenSSH 7.7p1 scp functionality. When a client attempts to connect to the server, the server reveals whether the username exists on the system or not.
CVE-2023-51385	libssh Authentication Bypass Vulnerability	Critical	libssh through 0.10.6 and 1.0.x through 1.0.4 allows authentication bypass because the server sends SSH_MSG_USERAUTH_SUCCESS before user authentication.