Port 22/tcp is the IANA-assigned home of SSH, the Secure Shell protocol, and is one of the most consistently open and most heavily attacked TCP ports on the public internet. SSH is the default channel for administering Linux/Unix servers, cloud instances, routers, switches, and embedded devices — providing encrypted remote login, command execution, file transfer (SCP/SFTP), and tunneling/port-forwarding. The protocol is layered: a transport layer (RFC 4253) that handles server authentication, key exchange, encryption, and integrity; a user-authentication layer (RFC 4252); and a connection layer (RFC 4254) that multiplexes channels over the single TCP session. An internet-exposed SSH daemon faces continuous automated brute-force and credential-stuffing; honeypot research routinely records millions of login attempts against a single sensor. The practical analyst takeaway is that an open 22/tcp almost always means a live SSH service for remote administration — the questions that matter in triage are which SSH implementation and version is running, whether password authentication is enabled (versus key-only), and whether auth logs show brute-force patterns or successful logins from anomalous sources. Relocating SSH to a non-standard port (2222, 22222) reduces log noise but is not a security control, since scanners enumerate any open port.

IANA assignment

ssh — "The Secure Shell (SSH) Protocol"; reference [RFC4251] [IANA-assigned] — IANA Service Name and Transport Protocol Port Number Registry

Range class

well-known (0–1023)

Primary use

encrypted remote login, command execution, file transfer (SCP/SFTP), and secure tunneling/port forwarding [Well-established] — RFC 4251/4253, OpenSSH docs

Other/unofficial uses

SFTP/SCP, Git-over-SSH, SSH tunneling/SOCKS proxy; frequently relocated to 2222/22222 [Well-established] — OpenSSH docs

Prevalence

nmap-services open-frequency 0.182286 (one of the most common open TCP ports, typically top ~5) [Well-established] — nmap-services file (nmap.org/book/nmap-services.html)

Security implications

continuous brute-force/credential-stuffing against exposed daemons; risks from weak/default passwords, leaked private keys, obsolete SSH-1 (e.g., CVE-2001-0144). Mitigate with key-based auth, disabling root login + password auth, fail2ban/lockout, and MFA. Port relocation reduces noise, not risk [Well-established/Threat-reported] — arXiv honey-net study (arxiv.org/pdf/2512.06557), CSO, BleepingComputer

Typically seen on

Linux/Unix servers, cloud instances, routers/switches, developer machines, IoT/embedded devices

Related ports

23/tcp Telnet (insecure predecessor SSH replaced); 2222 (common alternate SSH)

Analyst note

An open 22/tcp almost always means a live SSH daemon for remote admin. Fingerprint the SSH software/version, determine whether password auth is enabled, and review auth logs for brute-force patterns and anomalous successful logins.