Port 22 — SSH & SFTP

Port 22 is SSH (Secure Shell) — the encrypted protocol that lets you control remote servers from your terminal. Every Linux server, cloud instance, and VPS you'll ever work with is managed over SSH. It replaced Telnet (port 23), which sent everything including passwords in plaintext. SSH encrypts the entire session.

SSH also handles SFTP (Secure File Transfer Protocol) and SCP (Secure Copy) on the same port. So port 22 is your gateway for both remote commands and file transfers.

Connecting to a Server

# Basic SSH connection
ssh username@server-ip
ssh root@192.168.1.100
ssh deploy@myserver.com

# With a specific port (if not 22)
ssh -p 2222 username@server-ip

# With an identity file (SSH key)
ssh -i ~/.ssh/my-key.pem ubuntu@ec2-instance.amazonaws.com

First time connecting to a server, you'll see "The authenticity of this host can't be established... Are you sure you want to continue?" Type yes. This adds the server's fingerprint to your ~/.ssh/known_hosts file so it won't ask again.

SSH Keys (Stop Typing Passwords)

Password authentication works but is tedious and less secure. SSH keys use a public/private key pair — the server holds your public key, your computer holds the private key. No password needed, and it's more secure because the private key never leaves your machine.

# Generate an SSH key pair
ssh-keygen -t ed25519 -C "your-email@example.com"
# Press Enter for default location (~/.ssh/id_ed25519)
# Enter a passphrase (or leave blank)

# Copy your public key to a server
ssh-copy-id username@server-ip
# Now you can SSH without a password

# Manual method (if ssh-copy-id isn't available):
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Use ed25519 keys — they're smaller, faster, and more secure than the older RSA format. If you need RSA (some older systems require it), use ssh-keygen -t rsa -b 4096.

File Transfer: SCP and SFTP

# SCP — copy a file to a server
scp myfile.txt user@server:/home/user/
scp -r myfolder/ user@server:/var/www/

# SCP — download from server
scp user@server:/var/log/app.log ./

# SFTP — interactive file browser
sftp user@server
sftp> ls            # list remote files
sftp> get file.txt  # download
sftp> put local.txt # upload
sftp> exit

SFTP is also supported by GUI tools like FileZilla, WinSCP, and Cyberduck. Connect with Host: your server IP, Port: 22, Protocol: SFTP.

SSH Tunnels (Access Remote Services Locally)

SSH tunnels let you access services on a remote server as if they were running locally. This is incredibly useful for accessing databases, admin panels, and other services that aren't exposed to the internet:

# Forward remote MySQL to local
ssh -L 3306:localhost:3306 user@server
# Now connect to MySQL at localhost:3306 — it reaches the server's MySQL

# Forward remote PostgreSQL
ssh -L 5432:localhost:5432 user@server

# Forward a remote web app
ssh -L 8080:localhost:3000 user@server
# Access the server's port 3000 app at localhost:8080

# Background tunnel (doesn't open a shell)
ssh -fNL 5432:localhost:5432 user@server

SSH Config File (Save Connection Details)

Instead of typing long SSH commands, save connection details in ~/.ssh/config:

# ~/.ssh/config
Host myserver
    HostName 192.168.1.100
    User deploy
    Port 22
    IdentityFile ~/.ssh/deploy-key

Host aws-prod
    HostName ec2-12-34-56-78.compute-1.amazonaws.com
    User ubuntu
    IdentityFile ~/.ssh/aws-key.pem

# Now just type:
ssh myserver
ssh aws-prod

Securing SSH

If you're running an SSH server (on a VPS, home server, etc.), these settings in /etc/ssh/sshd_config significantly reduce attack surface:

# Disable password authentication (keys only)
PasswordAuthentication no

# Disable root login
PermitRootLogin no

# Change the default port (reduces automated scans)
Port 2222

# Restart SSH after changes
sudo systemctl restart sshd

Changing the port from 22 to something else (like 2222) doesn't add real security, but it eliminates 99% of automated brute-force login attempts that target port 22 specifically.

Troubleshooting

"Connection refused": SSH server isn't running on the target machine, or it's on a different port. Check with sudo systemctl status sshd on the server.

"Permission denied (publickey)": The server doesn't accept password auth and your key isn't set up. Copy your public key to the server (see SSH Keys section above).

"Host key verification failed": The server's identity changed (it was reinstalled, or you're connecting to a different server at the same IP). Remove the old entry: ssh-keygen -R server-ip