How SSH Port Became 22, Hacker News

How SSH port became 22

The defaultSSHport is 22. It is not a coincidence. This is a story of how it got that port.

When I (Tatu Ylonenfirst published this story in April 2017, it went viral and got about 120, 00 0 readers in three days.

The story of getting SSH port 22

I wrote the initial version of SSH (Secure Shell) in Spring 1995 .It was a time whentelnetandFTPwere widely used.

Anyway, I designed SSH to replace bothtelnet(port 23) andftp(port 21). Port 22 was free. It was conveniently between the ports fortelnetandFTP. I figured having that port number might be one of those small things that would give some aura of credibility. But how could I get that port number? I had never allocated one, but I knew somebody who had allocated a port.

The basic process for port allocation was fairly simple at that time. Internet was smaller and we were in the very early stages of the Internet boom. Port numbers were allocated by IANA (Internet Assigned Numbers Authority). At the time, that meant an esteemed Internet pioneer calledJon PostelandJoyce K. Reynolds. Among other things, Jon had been the editor of such minor protocol standards as IP (RFC 791), ICMP (RFC 792), and TCP RFC 793). Some of you may have heard of them.

To me Jon felt outright scary, having authored all the main Internet RFCs!

Anyway, just before announcingssh-1.0in July 1995, I sent this e-mail to IANA:

From ylo Mon Jul 10 11: 45: 48   0300 1995 From: Tatu YlonenTo: Internet Assigned Numbers AuthoritySubject: request for port number Organization: Helsinki University of Technology, Finland  Dear Sir,  I have written a program to securely log from one machine into another over an insecure network. It provides major improvements in security and functionality over existing telnet and rlogin protocols and implementations. In particular, it prevents IP, DNS and routing spoofing. My plan is to distribute the software freely on the Internet and to get it into as wide use as possible.  I would like to get a registered privileged port number for the software. The number should preferably be in the range 1 - 255 so that it can be used in the WKS field in name servers.  I'll enclose the draft RFC for the protocol below. The software has been in local use for several months, and is ready for publication except for the port number. If the port number assignment can be arranged in time, I'd like to publish the software already this week. I am currently using port number 22 in the beta test. It would be great if this number could be used (it is currently shown as Unassigned in the lists).  The service name for the software is "ssh" (for Secure Shell).  Yours sincerely,  Tatu Ylonen... followed by protocol specification for ssh-1.0

The next day, I had an e -mail from Joyce waiting in my mailbox:

Date: Mon,  (Jul)  15: 35: 33 - 0700 From: [email protected] To: [email protected] Subject: Re: request for port number Cc: [email protected]  Tatu,  We have assigned port number 22 to ssh, with you as the point of contact.  Joyce

There we were! SSH port was 22 !!!

On July 12, 1995, at 2: 32 am, I announced a final beta version to my beta testers at Helsinki University of Technology. At 5: 23 pm I announced ssh-1.0.0 packages to my beta testers. At 5: 51 pm on July 12, 1995, I sent an announcement about SSH (Secure Shell) to the[email protected]mailing list. I also posted it to a few newsgroups, mailing lists, and directly to selected people who had discussed related topics on the Internet.

Changing the SSH port in the server

By default, the SSH server still runs in port 22. However, there are occasions when it is run in a different port. Testing use is one reason. Running multiple configurations on the same host is another. Rarely, it may also be run without root privileges, in which case it must be run in a non-privileged port (ie, port number>=1024).

The port number can be configured by changing the (Port) directive in/ etc / ssh / sshd_config. It can also be specified using the- poption tosshd. The SSH client andsftpprograms also support the- poption.

Specifying SSH port number on the command line

The- poption can be used to specify the port number to connect to when using thesshcommand on Linux. The- P(note: capital P) option can be used withSFTPandscp. The SSH port number command line setting overrides any value configured in configuration files.

Configuring SSH access through firewalls

SSH is one of the few protocols that are frequently permitted through firewalls. Unrestricted outbound SSH is very common, especially in smaller and more technical organizations. Inbound SSH is usually restricted to one or very few servers.

Outbound SSH

Configuring outbound SSH in a firewall is very easy. If there are restrictions on outgoing traffic at all, just create a rule that allows TCP port 22 to go out. That is all. If you want to restrict the destination addresses, you can also limit the rule to only permit access to your organization’s external servers in the cloud, or to ajump serverthat guards cloud access.

Back-tunneling is a risk

Unrestricted outbound SSH can, however, be risky. The SSH protocol supportstunneling. The basic idea is that it is possible to have the SSH server on an external server listen to connections from anywhere, forward those back into the organization, and then make a connection to some Internal server.

This can be very convenient in some environments. Developers and system administrators frequently use it to open a tunnel that they can use to gain remote access from their home or from their laptop when they are traveling.

However, it generally violates policy and takes control away from firewall administrators and the security team. It can, for example, violatePCI,HIPAA, orNIST SP 800 – 53. It can be used by hackers and foreign intelligence agencies to leave backdoors into organizations.

CryptoAuditoris a product that can control tunneling at a firewall or at the entry point to a group of cloud servers. It works together withUniversal SSH Key Managerto gain access tohost keysand is able to use them to decrypt the SSH sessions at a firewall and block unauthorized forwarding.

Inbound SSH access

For inbound access, there are a few practical alternatives:

• Configure firewall to forward all connections to port 22 to a particular IP address on the internal network or (DMZ). RunCryptoAuditoror a jump server at that IP address to control and audit further access into the organization.
• Use different ports on the firewall to access different servers.
• Only allow SSH access after you have logged in using a VPN (Virtual Private Network), typically using theIPsecprotocol.

Enabling SSH access via iptables

Iptablesis a host firewall built into the Linux kernel. It is typically configured to protect the server by preventing access to any ports that have not been expressly opened.

Ifiptablesis enabled on the server, the following commands can be used to permit incoming SSH access. They must be run as root.

iptables - A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW, ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

If you want to save the rules permanently , on some systems that can be done with the command:

service iptables save