Port reference
Port 22 (TCP) – SSH
Secure Shell — encrypted remote login, command execution, and tunneling.
Quick facts
- Transport
- tcp
- Category
- Well-known
- TLS
- Encrypted
- Risk level
- Critical
Actively exploited and high-impact — keep it off the public internet.
Default state
Open on most Linux/Unix servers and network devices by default. Frequently exposed to the internet for remote administration.
Common attacks
- Credential brute force and password spraying
- Default and weak credentials on appliances/IoT
- Stolen or unmanaged private keys
- User enumeration and version-specific CVEs (e.g. CVE-2024-6387 'regreSSHion')
Hardening
- Disable password auth — use key-based or certificate auth
- Disable root login (PermitRootLogin no)
- Rate-limit and lock out with fail2ban or equivalent
- Restrict by IP allowlist / bastion host; consider a non-default port to cut noise
- Keep OpenSSH patched and enforce MFA
nmap snippet
nmap -p22 --script ssh2-enum-algos,ssh-auth-methods <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :22
nmap -p 22 <target>netstat -ano | findstr :22
Test-NetConnection <host> -Port 22lsof -i :22
nmap -p 22 <target>How to block this port
sudo ufw deny 22/tcpsudo firewall-cmd --permanent --remove-port=22/tcp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p tcp --dport 22 -j DROPNew-NetFirewallRule -DisplayName "Block 22" -Direction Inbound -Protocol TCP -LocalPort 22 -Action BlockWhat runs on port 22?
Port 22 is the registered port for SSH (Secure Shell), the encrypted protocol used for remote login, remote command execution, secure file transfer (SCP/SFTP), and port forwarding. It replaced cleartext protocols like Telnet (port 23) and rlogin, and is the default management channel for virtually every Linux/Unix server, router, and network appliance.
Why it matters for security
Because SSH delivers an interactive shell, an attacker who gets in usually gets full control of the host. Open 22 is therefore one of the most scanned ports on the internet, hammered around the clock by botnets trying leaked and default credentials. The encryption protects data in transit, but it does nothing to stop weak passwords, mismanaged keys, or a vulnerable SSH daemon.
How it's attacked
The dominant attack is brute force / password spraying against discovered hosts, especially appliances shipped with default logins. Private keys that are unencrypted, shared, or left on compromised machines let attackers walk in without a password. Periodically, daemon bugs such as the 2024 "regreSSHion" pre-auth RCE (CVE-2024-6387) put even well-configured servers at risk until patched.
Hardening checklist
Turn off password authentication and use key or certificate auth; disable direct root login; and add rate limiting / lockout (fail2ban) to blunt brute force. Put SSH behind a bastion host or VPN and allowlist source IPs. Keep OpenSSH current and add MFA for privileged access. The nmap snippet above enumerates the host's supported algorithms and auth methods so you can spot weak configurations on systems you are authorized to test.
Related ports
Frequently asked questions
- Is it safe to expose port 22 to the internet?
- With key-only auth, no root login, rate limiting, and patched OpenSSH it can be acceptable, but a bastion or VPN is safer. Password auth on 22 is heavily brute-forced.
- Why is port 22 constantly scanned?
- SSH grants a remote shell, so it's a high-value target. Botnets continuously spray default and leaked credentials against every open 22.