A Comprehensive Guide: SSH Port Number and SSH Working
In today’s digital landscape, cyberattacks like data breaches and hacking are increasingly common. Organizations need robust security measures like SSH to ensure secure data transmission. This article provides a detailed look at SSH protocol, including the SSH port number, the default SSH port, and how SSH works. We’ll cover encryption, authentication, commands, and key components that enable secure network communication.
What Is SSH?
SSH (Secure Shell) is a secure network protocol that allows you to safely access and manage remote servers. It replaces insecure protocols like FTP and Telnet, providing a secure communication channel for remote access.
The core features of SSH are data encryption, integrity checks, and identity authentication:
1. SSH encrypts data during transmission, protecting it from eavesdropping.
2. It uses authentication techniques like passwords and cryptographic keys to verify user and device identities.
3. SSH ensures data integrity, confirming that transmitted data hasn’t been altered.
System administrators use SSH to securely manage remote servers and perform administrative tasks. It also enables secure file transfer using SFTP (SSH File Transfer Protocol). Additionally, SSH allows users to create secure tunnels for applications like database access or web browsing.
What Is a Port in SSH?
In networking, a “port” is a virtual endpoint for communication within a computer or network. Different services and applications can use the same physical network connection but maintain separate communication channels through ports.
Ports 0-1023 are “reserved ports” for specific services like HTTP (port 80), HTTPS (port 443), FTP (port 21), and SSH (port 22). This standardization ensures consistency across networks.
The SSH port is the designated endpoint for Secure Shell protocol connections. By default, SSH uses port 22 for communication between servers.
While all SSH communication goes through a designated port, the default port can be changed to any available SSH port number. This facilitates secure and encrypted management or access to remote servers or devices, ensuring safe communication over potentially insecure networks.
How Does SSH (Secure Shell) Work on Port 22?
SSH operates on a client-server model, enabling secure and encrypted communication across networks. It’s frequently used in command-line tools for remote login and terminal applications. Linux users commonly utilize SSH for remote access and server administration. So, how does SSH work on Port 22 specifically?
SSH uses port 22 to establish a secure and encrypted communication channel between a client and a server. Let’s break down how it works:
Step 1: Establish a Connection
The client initiates a connection by sending a request to the server. The server listens on port 22 for incoming SSH connections and responds to the client’s request.
The client and server then perform an encryption handshake, exchanging information to establish a secure connection. They choose encryption methods and exchange cryptographic keys. This process creates a shared secret key used for communication between the client and server.
Step 2: User Authentication
The client then authenticates itself to the server. The main authentication methods are passwords and SSH keys.
Clients can securely transmit encrypted passwords to the server. However, password security depends on the user’s password complexity, and passwords can be a less secure authentication method.
A more secure method involves using SSH public-private key pairs, which rely on asymmetric encryption. The server grants the client access after it successfully decrypts a message using the appropriate key.
After authentication, a secure channel is established. All information exchanged is encrypted to prevent unauthorized eavesdropping.
Step 3: Establish a Secure Channel and Initiate the Session
After the secure channel is set up, an SSH session begins. Within this session, the client can securely interact with the server, sending files, running commands, and performing other authorized actions.
All commands, files, and data exchanged between the client and server during the session are encrypted, ensuring data integrity and preventing tampering.
When the user finishes, they close the connection. Closing the secure channel prevents further communication until a new session is established.
In summary, SSH on port 22 ensures secure data transfer, authenticates the client, and establishes an encrypted communication channel. Its encryption and secure authentication methods make SSH ideal for secure remote access and communication.
How to Generate an SSH Key?
SSH enables users to execute commands on remote servers, manage port forwarding, create tunnels, and more. It supports password authentication and public-key-based authentication.
Public-key-based authentication is generally considered more secure and convenient than password authentication because it uses digital signatures to enhance security.
Here’s how to generate an SSH key on your Linux system:
Step 1: Verify the Old SSH Key File
Before generating a new SSH key, check if you already have one. This prevents overwriting existing keys. Use the following command:
$ ls -l ~/.ssh/id_*.pub
Step 2: Generate an SSH Key Pair
If you get a “No such file or directory” error, you don’t have an SSH key. Proceed to generate one. Use the following command to create a new key pair with 4096 bits and your email address as a comment:
$ ssh-keygen
or
$ ssh-keygen -t rsa -b 4096 -C "useremail@yahoo.com"
Running “ssh-keygen” creates a default 3072-bit RSA key pair. Press “Enter” to store the key in the default location (.ssh/ subdirectory).
You’ll be prompted to enter a passphrase for added security. You’ll need to enter this passphrase to log in to remote machines. To skip the passphrase, press “Enter”. The output will be displayed in the terminal.
Verify successful key generation using this command:
$ ls ~/.ssh/id_*
The generated SSH key pair should be displayed on the terminal, confirming successful key generation.
Step 3: Connect to the Remote Server
Transfer the SSH public key to the remote Ubuntu server that you want to manage. Use the “ssh-copy-id” tool, the recommended method. Run this command on the client machine:
$ ssh-copy-id user_name@server_IPaddress
Replace `server_IPaddress` with your system’s IP.
On the first connection, you may be prompted to confirm. Enter “yes” to proceed. The server will validate the SSH key. You can also manually copy the public key using this command:
$ cat ~/.ssh/id_rsa.pub | ssh username@serverip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Replace `username` and `serverip` with the details of your server.
Step 4: Log in with the SSH Key on the Remote Server
Use this command to log in via SSH on the remote server:
$ ssh username@serverIP
If you didn’t set a passphrase for the private key, you’ll log in immediately. Otherwise, you’ll be prompted to enter the passphrase.
Step 5: Disable SSH Password Authentication
To add security, disable SSH password authentication. Log in to the remote server with sudo privileges and open the `/etc/ssh/sshd_config` file with this command:
$ sudo nano /etc/ssh/sshd_config
Find and set the following line to “no”:
PasswordAuthentication no
Save the file and exit.
Restart or reload the SSH service:
$ sudo systemctl restart ssh
Verify that SSH is working correctly before ending the session to ensure that password authentication is disabled.
Commands to Manage the SSH on the Linux System
To install an OpenSSH server, use the following command:
$ sudo apt install openssh-server
To start and stop the SSH service, use the following commands:
$ sudo systemctl start ssh
$ sudo systemctl stop ssh
To check SSH service status, use:
$ sudo systemctl status ssh
To enable an SSH service, use this command:
$ sudo systemctl enable ssh
To reload or restart the SSH service, run this command:
$ sudo systemctl restart ssh
To connect with the SSH server, use the command below:
$ ssh username@remotehost or IP-address
How to Configure SSH Port Number 22 in Firewall UFW?
Ensure that UFW (Uncomplicated Firewall) is turned on. To enable UFW, use:
$ sudo ufw enable
Grant permission for SSH traffic on port 22 in the UFW firewall with the following command:
$ sudo ufw allow 22/tcp
To disable SSH server, block port 22 using the command below:
$ sudo ufw deny 22/tcp
To disable the SSH service access, execute the following commands:
$ sudo systemctl stop ssh --now
$ sudo systemctl disable ssh --now
SSH Implementations for Linux and Windows
Several SSH implementations and clients are used across operating systems:
– OpenSSH (Unix-Based Systems): OpenSSH is the default implementation for Linux and macOS, known for its reliability and pre-installed on most Unix-based platforms.
– PuTTY (Windows): PuTTY is a popular SSH client for Windows with a user-friendly interface for secure remote server connections and auxiliary tools like PuTTYgen for SSH key management.
– SSH in PowerShell (Windows): Microsoft integrated OpenSSH into Windows PowerShell, simplifying SSH use and eliminating the need for third-party applications.
What Is the Default SSH Port Number?
The default SSH port is 22. Every SSH connection initializes through port 22, simplifying configuration and standardizing SSH connections.
However, using port 22 as the default can be a security risk. Changing the default SSH port is recommended to mitigate security problems.
There are 65,536 available communication ports. You can choose one of them to change your SSH port, preventing brute-force attacks.
How to Change the Default SSH Port 22 to Another Port Number?
If you’re involved in important communication that demands security, changing the default SSH port can reduce the risk of brute-force attacks. Attackers commonly target port 22, the default SSH port. Using a different SSH port improves security.
Follow these steps to change the SSH port:
Step 1: Create sshd_config File Backup
Edit the port number in the sshd_config file to change the default SSH port. Back up this file before making changes. Use the following command to create a backup:
$ cp /etc/ssh/sshd_config /etc/ssh/sshd_backup_config
This command creates a copy of sshd_config in the same directory.
Step 2: Changing the SSH Default Port 22
Open the `ssh_config` file to change the SSH default port 22:
$ sudo nano /etc/ssh/sshd_config
This opens the configuration file in the nano editor. Find the following line:
#Port 22
Uncomment this line by removing the “#” symbol and changing the port number. For example, to change it to 45571:
Port 45571
Allow or add this port to your firewall.
Step 3: Restart the SSH Service
After adding it to the firewall, restart the SSH service to load the changes.
$ sudo service sshd restart
The changes take effect after restarting your device. Changing the default SSH port number after acquiring a Linux VPS is an important security measure. You can test the changes without logging out of your current SSH session.
Step 4: Test the SSH Port
When you change the default SSH port 22, mention the new port number when connecting from the client machine to the server.
$ ssh username@userIP -p 45571
Now, your default SSH port is changed to Port 45571.
Conclusion