How ssh appeared on port 22
- Transfer
SSH by default runs on port 22. This is not a match. Here is the story of how he got this port.
When I ( Tatu Ilonen ) first published this story in April 2017, it became viral: about 120,000 readers read it in three days.
I wrote the first version of SSH (Secure Shell) in the spring of 1995. At that time, Telnet and FTP were widely used .
But I still developed SSH to replace both
At that time, the port allocation process was fairly simple. The internet was smaller and we were in the very early stages of the internet boom. Port numbers have been assigned by the Internet Assigned Numbers Authority (IANA). At the time, this meant the respected pioneers of the Internet.John Postel and Joyce K. Reynolds . Among other things, John was the editor of such minor protocols as IP (RFC 791), ICMP (RFC 792) and TCP (RFC 793). Perhaps some of you have heard of them.
John frankly scared me as the author of all the major RFCs for the Internet!
One way or another, but before the announcement
The next day in the mailbox was a letter from Joyce:
We made it! Now SSH port 22 !!!
On July 12, 1995, at 2:32 am, I announced the final beta version for my beta testers at Helsinki University of Technology. At 17:23 I sent ssh-1.0.0 packages to testers, and at 17:51 I sent an announcement of SSH (Secure Shell) to the mailing list
By default, the SSH server is still running on port 22. However, it is different. One of the reasons is testing. The other is running multiple configurations on the same host. It rarely happens that the server works without root privileges, in which case it must be placed on an unprivileged port (i.e., with the number 1024 or greater).
The port number can be configured by changing the directive
The parameter
SSH is one of the few protocols that is often allowed to work through firewalls for outbound access, especially in small and technical companies. Incoming SSH is usually allowed to one or more servers.
Setting up outgoing SSH in the firewall is very simple. If there are restrictions on outgoing traffic at all, just create a rule allowing outgoing connections on TCP port 22. That's all. If you want to limit the destination addresses, you can create a corresponding rule by allowing access only to the servers of your organization in the cloud or to a jump-server that protects access to the cloud.
However, unlimited outbound SSH can be risky. The SSH protocol supports tunneling . The basic idea is that the SSH server on the external server listens for connections from everywhere, forwards them to the organization and establishes a connection with some internal server.
In some cases it is convenient. Developers and system administrators often use tunneling to get remote access from home or from a laptop while traveling.
But usually, tunneling violates the security policy and takes away control from the firewall administrators and the information security team. For example, it may violate the rules of PCI , HIPAA or NIST SP 800-53. It can be used by hackers and special services to leave backdoors on the local network.
The CryptoAuditor program controls tunneling in the firewall or at the entry point to the cloud server group. It works in conjunction with Universal SSH Key Manager to gain access to host keys , using them to decrypt SSH sessions in the firewall and block unauthorized forwarding.
For inbound access there are several options:
Iptables is a host firewall built into the Linux kernel. It is usually configured to protect the server, preventing access to all ports that were not explicitly open.
If iptables is enabled on the server, the following commands may allow inbound SSH access. They should be run from under the root. If you want to keep the rules forever, then on some systems this can be done with the command:
When I ( Tatu Ilonen ) first published this story in April 2017, it became viral: about 120,000 readers read it in three days.
The history of getting port 22 for SSH
I wrote the first version of SSH (Secure Shell) in the spring of 1995. At that time, Telnet and FTP were widely used .
But I still developed SSH to replace both
telnet(port 23) and ftp(port 21). Port 22 was free and conveniently located between the ports for telnet and ftp. I thought that such a port number could be one of those little details that would give some aura of SSH trust. But how to get it? I have never distributed ports, but I knew those involved. At that time, the port allocation process was fairly simple. The internet was smaller and we were in the very early stages of the internet boom. Port numbers have been assigned by the Internet Assigned Numbers Authority (IANA). At the time, this meant the respected pioneers of the Internet.John Postel and Joyce K. Reynolds . Among other things, John was the editor of such minor protocols as IP (RFC 791), ICMP (RFC 792) and TCP (RFC 793). Perhaps some of you have heard of them.
John frankly scared me as the author of all the major RFCs for the Internet!
One way or another, but before the announcement
ssh-1.0in July 1995, I sent the following email to IANA:From ylo Mon Jul 10 11:45:48 +0300 1995
From: Tatu Ylonen <ylo@cs.hut.fi>
To: Internet Assigned Numbers Authority <iana@isi.edu>
Subject: request for port number
Organization: Helsinki University of Technology, Finland
Dear Sir,
I have written a program to securely login from one machine to another over an insecure network. This is a significant improvement in security compared to existing telnet and rlogin protocols and their implementations. In particular, it prevents IP, DNS and routing spoofing. My plan is to freely distribute the program on the Internet and to ensure its widest possible use.
I would like to receive the registered privileged port number for the program. It is desirable in the range of 1-255 so that it can be used in the WKS field on a name server.
Below is an RFC draft for the protocol. The software has been used locally for several months and is ready for publication, with the exception of the port number. If you can quickly assign a port number, I would like to post a program this week. I’m currently using port 22 in beta testing. It would be great to use this number (currently listed as “unassigned” in the lists).
The service name for the software is "ssh" (Secure Shell).
Regards,
Tattoo Ilonen <ylo@cs.hut.fi>
... then follow the ssh-1.0 protocol specification
The next day in the mailbox was a letter from Joyce:
Date: Mon, 10 Jul 1995 15:35:33 -0700
From: jkrey@ISI.EDU
To: ylo@cs.hut.fi
Subject: Re: request for port number
Cc: iana@ISI.EDU
Tattoo,
We assigned the port 22 for SSH, specifying your contact person.
Joyce
We made it! Now SSH port 22 !!!
On July 12, 1995, at 2:32 am, I announced the final beta version for my beta testers at Helsinki University of Technology. At 17:23 I sent ssh-1.0.0 packages to testers, and at 17:51 I sent an announcement of SSH (Secure Shell) to the mailing list
cypherpunks@toad.com. I also dubbed the announcement to several newsgroups, mailing lists, and directly to individuals who discussed related topics on the Internet.Change the SSH port on the server
By default, the SSH server is still running on port 22. However, it is different. One of the reasons is testing. The other is running multiple configurations on the same host. It rarely happens that the server works without root privileges, in which case it must be placed on an unprivileged port (i.e., with the number 1024 or greater).
The port number can be configured by changing the directive
Port 22in / etc / ssh / sshd_config . It is also indicated by the parameter -p <port>in sshd . The SSH client and sftp programs also support the parameter -p <port>.Specifying an SSH port on the command line
The parameter
-p <port>can be used to specify the port number when connecting using a command sshin Linux. In SFTP, and scpa parameter is used -P <port>(note: capital P). Command line override any value in configuration files.Setting up SSH access via firewalls
SSH is one of the few protocols that is often allowed to work through firewalls for outbound access, especially in small and technical companies. Incoming SSH is usually allowed to one or more servers.
Outgoing ssh
Setting up outgoing SSH in the firewall is very simple. If there are restrictions on outgoing traffic at all, just create a rule allowing outgoing connections on TCP port 22. That's all. If you want to limit the destination addresses, you can create a corresponding rule by allowing access only to the servers of your organization in the cloud or to a jump-server that protects access to the cloud.
Reverse tunneling is a risk
However, unlimited outbound SSH can be risky. The SSH protocol supports tunneling . The basic idea is that the SSH server on the external server listens for connections from everywhere, forwards them to the organization and establishes a connection with some internal server.
In some cases it is convenient. Developers and system administrators often use tunneling to get remote access from home or from a laptop while traveling.
But usually, tunneling violates the security policy and takes away control from the firewall administrators and the information security team. For example, it may violate the rules of PCI , HIPAA or NIST SP 800-53. It can be used by hackers and special services to leave backdoors on the local network.
The CryptoAuditor program controls tunneling in the firewall or at the entry point to the cloud server group. It works in conjunction with Universal SSH Key Manager to gain access to host keys , using them to decrypt SSH sessions in the firewall and block unauthorized forwarding.
Inbox ssh
For inbound access there are several options:
- Configure the firewall to forward all connections to port 22 to a specific IP address on the internal network or DMZ . Run CryptoAuditor or a jump server at this IP address to monitor and verify further access to the organization.
- Use different ports on the firewall to access different servers.
- Allow SSH access only after logging on to the system using a VPN, usually via IPsec .
Enable SSH via iptables
Iptables is a host firewall built into the Linux kernel. It is usually configured to protect the server, preventing access to all ports that were not explicitly open.
If iptables is enabled on the server, the following commands may allow inbound SSH access. They should be run from under the root. If you want to keep the rules forever, then on some systems this can be done with the command:
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPTservice iptables save