All Tools
Privacy-first: no data stored
SSH Port Checker
Test if SSH port is open and accessible on any server.
What is an SSH Port?
SSH (Secure Shell) uses port 22 by default for encrypted remote access to servers. When you can't connect via SSH, the first step is checking if the port is open and reachable. This tool tests TCP connectivity from our servers to your target, helping diagnose firewall issues, misconfigurations, or network problems.
Common SSH Ports
| Port | Usage |
|---|---|
| 22 | Default SSH port (IANA assigned) |
| 2222 | Common alternative (Docker, dev environments) |
| 22222 | Secondary alternative for security through obscurity |
| 443 | SSH over HTTPS port (bypasses restrictive firewalls) |
Why is my SSH port closed?
- •SSH service not running — Check with
systemctl status sshd - •Firewall blocking — Check iptables, ufw, or cloud security groups
- •Wrong port — SSH might be configured on a non-standard port in /etc/ssh/sshd_config
- •NAT/Router issue — Port forwarding may not be configured for internal servers
- •Server offline — The machine might be powered off or unreachable
Frequently Asked Questions
Is SSH port 22 secure to expose to the internet?
Port 22 itself is secure when SSH is properly configured. However, exposing it invites brute-force attacks. Best practices include: using key-based authentication (disable passwords), implementing fail2ban, using a non-standard port, and restricting access via firewall rules to known IPs when possible.
Why use a different port than 22?
Changing the SSH port reduces automated attack noise in your logs and provides minor security through obscurity. It won't stop a determined attacker (port scans reveal open ports), but it eliminates most automated bots targeting port 22. Common alternatives are 2222, 22222, or high ports like 49152.
What's the difference between 'closed' and 'filtered'?
A 'closed' port responds with a TCP RST packet—the port is reachable but nothing is listening. A 'filtered' port gives no response (timeout)—usually a firewall is dropping packets silently. Both prevent SSH connections, but filtered suggests firewall configuration, while closed suggests the SSH service isn't running.
Can I SSH over port 443 to bypass firewalls?
Yes, many restrictive networks (hotels, airports) only allow ports 80 and 443. You can configure SSH to listen on 443 if you don't need HTTPS on that server. Tools like sslh can multiplex SSH and HTTPS on the same port by detecting the protocol.
Why does the port show open but I still can't connect?
An open port means TCP connection succeeds, but SSH authentication is separate. Issues could include: wrong username, SSH key not accepted, password authentication disabled, user not in AllowUsers list, or SSH banner exchange failing due to protocol mismatch.
How do I check which port SSH is running on?
On the server, run 'grep Port /etc/ssh/sshd_config' or 'ss -tlnp | grep ssh'. The config file shows the configured port; ss shows what's actually listening. They should match—if not, restart sshd after config changes.
What does 'connection refused' mean?
Connection refused (TCP RST) means the port is reachable but nothing is listening—the SSH daemon isn't running or is on a different port. This differs from a timeout, which suggests firewall blocking or the host being unreachable.
Is TCP or UDP used for SSH?
SSH uses TCP exclusively (not UDP) because it requires reliable, ordered delivery for secure shell sessions. TCP's connection-oriented nature ensures encrypted data arrives intact and in sequence, which is critical for interactive terminal sessions.
Related Tools
Need to manage SSH connections?
SSH Workbench lets you connect, browse files, and manage servers visually.
Try SSH Workbench Free