What it is
Secure Shell (SSH) is the de facto protocol for encrypted remote administration, secure file transfer (SCP/SFTP), and tunneling. It typically listens on TCP port 22 and negotiates confidentiality, integrity, and authenticity through modern cryptography. SSH supports password, public/private key, and hardware-backed authentication. Because it delivers interactive shell access and supports command execution, SSH endpoints are high-value targets for attackers seeking control of servers and network infrastructure.
Organizations use SSH for operator access to Linux and network devices, Git-over-SSH workflows, and automation tasks. Risks emerge when default accounts persist, weak passwords remain, private keys are left unprotected, or key sprawl creates unmanaged access paths.
Why it matters
Compromised SSH access often results in persistent, stealthy intrusions. Automated bots constantly scan for open port 22 services and launch credential stuffing or brute-force attacks. Once attackers gain SSH access, they can escalate privileges, install backdoors, exfiltrate data, and pivot laterally. Poor key management—for example, shared keys without expiration—provides broad access that is difficult to revoke or audit.
How to reduce risk
- Disable password authentication; require key-based or certificate authentication with passphrases.
- Use bastion/jump hosts and central session recording for privileged access.
- Enforce least privilege and ephemeral credentials (short-lived certificates, Just-in-Time access).
- Inventory, rotate, and prune SSH keys; map ownership to users or services.
- Restrict SSH exposure to trusted networks or specific IP ranges; consider port knocking or VPN front-ends.
- Enable multi-factor authentication (MFA) where possible via SSH certificates or proxy solutions.
- Monitor for unusual login patterns, failed login spikes, and unauthorized key additions.