What it is
Secure Shell (SSH) is the default remote administration protocol and typically listens on TCP port 22. When the port is left open to the entire internet instead of trusted jump hosts, VPNs, or allow lists, anyone can probe the daemon, fingerprint versions, and hammer the login prompt. Attackers weaponize credential stuffing lists, automation, and known OpenSSH flaws to turn exposed ports into privileged shells.
Why it matters
SSH access often equals full server control. An openly reachable port exponentially increases attack surface, and weak authentication or outdated daemons turn constant background noise into a breach. Once logged in, intruders can escalate privileges, pivot across infrastructure, or plant persistence for ransomware and data theft.
How to reduce risk
- Restrict SSH to specific IP addresses, bastion hosts, or VPN subnets.
- Prefer asymmetric key authentication (or short-lived certificates) over passwords, and disable password logins entirely when possible.
- Deny root SSH access; require sudo escalation with auditing.
- Enforce rate limiting through
fail2ban, cloud firewalls, or security groups to block repeated failures. - Consider moving SSH to a non-standard port only as a supplemental layer after access controls are in place.
- Keep OpenSSH patched and monitor for unusual login attempts or new authorized keys.