| guide | Why the port number of SSH (Secure Terminal) is 22 is not a coincidence, there is a story that I (Tatu Ylonen, the designer of the SSH protocol) have not told. |
The story of setting the SSH protocol port number to 22
I wrote the initial version of the SSH protocol in the spring of 1995, when telnet and FTP were widely used.
At that time, I designed the SSH protocol to replace the two protocols of telnet (port 23) and ftp (port 21), and port 22 was free. I took it for granted that the number sandwiched between the ports for telnet and ftp was chosen. I feel like the port number is a small thing but there seems to be some belief there. But how on earth do I get that port number? I don't own any port numbers, but I know a few who do!
At that time, the matter of obtaining the port number was actually quite simple. After all, the Internet (Internet) was not very big at that time, and it was the early days of the Internet explosion. The job of port number assignment is done by IANA (Internet Assigned Numbers Authority, Internet Number Assignment Agency). At the time the institution was the equivalent of Internet pioneers Jon Postel and Joyce K. Reynolds. Jon has co-authored several major protocol standards, such as IP (RFC 791), ICMP (RFC 792), and TCP (RFC 793), which are some of the protocols you should have heard before.
I can say I'm in awe of Mr. Jon, who has written almost every major Internet standards document (Internet RFC)!
In July 1995, just before I released ssh-1.0, I sent an email to IANA:
From ylo Mon Jul 10 11:45:48 +0300 1995
From: Tatu Ylonen <[email protected]>
To: Internet Assigned Numbers Authority <[email protected]>
Subject: request to get a port number
Organization: Helsinki University of Technology, Finland
Dear Agency Member:
I wrote a program that can safely log in from one machine to another in an insecure network environment. It is mainly a functional enhancement and security improvement to the existing telnet protocol and rlogin protocol. More specifically, it can defend against spoofing such as IP, DNS or routing. I intend to distribute my software freely on the Internet for wide use.
I would like to register a privileged port number for the software, preferably between 1 and 255, so that it can be used in the WKS field of the name server.
I have attached a draft of the protocol standard in the attachment. This software has been running locally for a few months now, and I'm ready to release it as soon as I get a port number. If the port assignments are arranged in time, I expect the software to be ready for release this week. The port number I am currently using for beta testing is 22, if I can assign this port, I don't need to make any changes (currently this port is still free in the list).
The name of the service in the software is `ssh` (abbreviation of Secure Shell ).
Yours most sincerely,
Tatu Ylonen <[email protected]>
(LCTT Annotation: The WKS record type in the DNS protocol means "well-known business description". It is a DNS record type similar to A and MX. It is used to describe the service provided by a certain IP. It is rarely used at present. See: https://docs.oracle.com/cd/E19683-01/806-4077/dnsintro-154/index.html.)
The next day, I received an email from Joyce:
Date: Mon, 10 Jul 1995 15:35:33 -0700
From: [email protected]
Subject: Response: Request for a port number
Third,
We assigned port number 22 to the ssh service, and you are currently the primary contact for that service.
Joyce
That's it! SSH officially uses port 22! ! !
On July 12, 1995 at 2:21 AM, I announced the final beta version of SSH to my testers at the Helsinki University of Technology. At 5:23 pm that day, I announced the ssh-1.0.0 version to the testers. On July 12, 1995, at 5:51pm, I sent a copy of the SSH (Secure Terminal) announcement to the [email protected] mailing list, in addition to some newsgroups, mailing lists and some people who discuss related topics on the Internet.
How to change the port number of the SSH service
The SSH server runs on port 22 by default. However, it can also run on other ports if required for some reason. For example, for the convenience of testing, or running multiple different configurations on the same host. Of course, in rare cases, it is also possible to run it without root privileges, such as some cases where it must run on a non-privileged port (port number greater than or equal to 1024).
The port number can be changed from Port 22 in the configuration file /etc/ssh/sshd_config. You can also run sshd with the -p <port> option. SSH clients and sftp programs can also use the -p <port> option.
Configure the SSH protocol to traverse the firewall
SSH is one of the few protocols generally permitted to traverse firewalls. A common practice is to not restrict outbound SSH connections, especially in some smaller or more technical organizations, while inbound SSH connections are usually limited to one or a few servers.
Outbound SSH connections
Configuring outbound SSH connections in the firewall is simple. If you are completely restricting outgoing connections, you only need to create a rule that allows outgoing connections on TCP port 22. If you want to limit the target address, you can limit the rule to only allow access to the external server of your organization in the cloud or protect the springboard server in the cloud.
Backchannels are risky
In fact, although it is possible to not restrict outbound SSH connections, there are risks. The SSH protocol supports channel access. The original idea was to build an SSH service on the external server to listen for connections from everywhere, forward incoming connections to the organization, and allow this connection to access an internal server.
This is of course very convenient in some scenarios. Developers and system administrators often use it to open a channel so that they can access it remotely, such as using a laptop at home or while traveling.
However, in general these practices are against security policy, skipping the control of firewall administrators and security team protection is definitely against security policy, such as these: PCI, HIPAA, NIST SP 800-53, etc. It can be used by hackers and foreign intelligence agencies to leave back doors within organizations.
CryptoAuditor is a product that can control tunneling through a firewall or a set of cloud server portals. The product can be used in conjunction with the Universal SSH Key Manager to gain access to host keys to decrypt SSH sessions in scenarios where firewalls are enabled and unauthorized forwarding is blocked.
Inbound SSH access
Here are a few things to say about inbound access:
- Configure the firewall and forward all connections to port 22 only to a specific internal network IP address or a DMZ host. Run CryptoAuditor or a jumpbox on that IP to control and audit all connections to that organization.
- Use different ports on the firewall to access different servers.
- Only allow connection to SSH service after login using VPN (Virtual Private Network) such as IPsec protocol.
Restrict SSH access via iptables service
iptables is a host firewall built into the Linux kernel. Usually configured to protect servers from access to ports that are not explicitly opened.
If iptables is enabled on the server, use the following command to allow incoming SSH access, of course the command needs to be run as root.
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
If you want to persist the rules created by the above command, in some system versions, you can use the following command:
service iptables save