DomainCare.
Start free trial
What breaksCoverageDocsBlogPricing
ToolsDomain health checkDNS propagation checkerSitemap validatorBlacklistsOpen ports
Sign in
All ports
Referenceinfo severity

Port 22 · SSH

SSH on port 22 is normal infrastructure. Tracked as informational so unexpected exposure on a non-management host shows up as a signal.

What runs on port 22

SSH is the standard remote-shell and file-transfer protocol for Unix-family systems. Default service binds to TCP/22. Modern SSH (OpenSSH 9.x) is well-hardened by default — public-key authentication, modern ciphers, TLS-equivalent transport security.

Why public exposure is dangerous

SSH itself is not the risk; the configuration is. Password authentication enabled with weak passwords invites brute-force. `root` login allowed gives attackers a high-value target. Outdated OpenSSH builds with known CVEs (rare but they exist) widen the attack surface. Mass scanning of port 22 is universal — every SSH server on the public internet sees thousands of brute-force attempts per day.

How to lock it down

Disable password authentication: `PasswordAuthentication no` in `sshd_config`. Disable root login: `PermitRootLogin no`. Use public-key authentication only. Consider a non-default port to reduce log noise (security-by-obscurity, not real security, but reduces brute-force volume). Use `fail2ban` or equivalent to lock out IPs after repeated failures. Restrict SSH to specific source IPs via host firewall when feasible.

When public exposure is legitimate

Operating-system management on bastion hosts, jump boxes, and individual servers. SSH on port 22 is universally appropriate when properly hardened — DomainCare flags it as `info` severity to provide an audit trail of where SSH is exposed without alerting on every host.

Other ports DomainCare scans

  • :3306 MySQL MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
  • :5432 PostgreSQL PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
  • :6379 Redis Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
  • :27017 MongoDB MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.