SSH Port 22 – Configuration and Security

1. Introduction to SSH

SSH (Secure Shell) is a cryptographic network protocol for secure remote login and command execution over an insecure network.

• Default SSH Port: 22/tcp

• SSH Daemon: sshd — the service that listens for incoming SSH connections.

2. SSH Service Management

Check SSH Service Status

sudo systemctl status ssh

Start/Stop SSH Service

sudo systemctl stop ssh
sudo systemctl start ssh
sudo systemctl restart ssh

Alternate (older systems):

sudo service ssh stop
sudo service ssh start

3. Close or Block SSH Port

Using iptables

sudo iptables -A INPUT -p tcp --dport 22 -j DROP

• This blocks all incoming connections on port 22.

Using UFW (Uncomplicated Firewall)

sudo ufw deny 22

• Blocks port 22 via UFW.

To Reopen SSH Port

sudo ufw allow 22
sudo iptables -D INPUT -p tcp --dport 22 -j DROP

4. Connecting to an SSH Server

Verify SSH Port with Nmap

nmap -p 22 127.1.27.97

Sample output:

PORT   STATE SERVICE
22/tcp open  ssh

Connect via SSH

ssh user@127.1.27.97

If it's the first time connecting, SSH will ask to verify the host’s fingerprint:

The authenticity of host '127.1.27.97' can't be established.
ED25519 key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.1.27.97' to the list of known hosts.

5. SSH Server Configuration File

Located at:

/etc/ssh/sshd_config

Option	Description
Port 22	Sets the port SSH daemon listens on
PermitRootLogin no	Prevents root login (recommended)
PasswordAuthentication no	Disables password-based login; use key-based login
AllowUsers user1 user2	Restrict login access to specific users
PermitEmptyPasswords no	Disallow empty passwords
MaxAuthTries 3	Limit login attempts
LoginGraceTime 30	Time allowed for login attempt before disconnect

To Apply Changes:

sudo systemctl restart ssh

6. SSH Security Best Practices

• Change default port (22) to reduce automated scans:

Port 2222

• Disable password authentication and use SSH keys:

PasswordAuthentication no

• Use fail2ban to block brute-force attacks:

sudo apt install fail2ban

• Use key-based authentication:

ssh-keygen
ssh-copy-id user@host

• Restrict user access using AllowUsers or AllowGroups.

• Log SSH activity for monitoring:

/var/log/auth.log

7. SSH Key Authentication Setup

Generate SSH Key Pair

ssh-keygen -t ed25519

Copy Public Key to Remote Host

ssh-copy-id user@remote_host

Once setup, login without a password:

ssh user@remote_host

8. Common SSH Client Options

Option	Description
-p <port>	Specify a non-default port
-i <keyfile>	Specify identity (private key) file
-v	Verbose output (debugging connections)
-X	Enable X11 forwarding
-L <local>:<remote>	Port forwarding