SFTP (SSH File Transfer Protocol) primarily uses TCP Port 22. It leverages this port because it operates as a subsystem of the Secure Shell (SSH) protocol, which is assigned to port 22 by the Internet Assigned Numbers Authority (IANA).
Understanding SFTP and Its Port Usage
SFTP is not a standalone protocol with its own dedicated port number. Instead, it relies entirely on the underlying SSH connection for data transfer and security. When you initiate an SFTP connection, you are essentially establishing an SSH connection first, and then SFTP commands and data are transmitted securely within that encrypted SSH tunnel.
This design choice provides several significant advantages:
- Security: By running over SSH, SFTP inherits SSH's robust encryption, authentication, and data integrity features. All file transfers, commands, and credentials are encrypted, protecting them from eavesdropping and tampering.
- Simplicity: No need to open additional ports on firewalls for file transfer, as the single SSH port (22) handles both secure shell access and secure file transfer.
- Authentication: SFTP benefits from SSH's strong authentication mechanisms, including password, public key, and multi-factor authentication.
Port 22 and Its Protocols
While TCP port 22 is the most commonly used and expected port for SSH and SFTP, IANA has also assigned it for other protocols related to SSH.
Here's a breakdown of how Port 22 is assigned:
| Protocol | Port Number | Description | Primary Use for SFTP |
|---|---|---|---|
| TCP | 22 | Transmission Control Protocol | Yes (Primary) |
| UDP | 22 | User Datagram Protocol | No (SSH/SFTP is TCP-based) |
| SCTP | 22 | Stream Control Transmission Protocol | No (Less Common) |
Key Insight: While Port 22 is assigned to TCP, UDP, and SCTP, SFTP strictly operates over TCP port 22. The SSH protocol, which SFTP utilizes, is fundamentally a TCP-based application. Therefore, when discussing SFTP ports, TCP port 22 is the one that matters for establishing and maintaining connections.
Practical Implications and Configuration
Understanding that SFTP uses TCP port 22 is crucial for network administrators and users alike.
- Firewall Configuration: To allow SFTP traffic, you must ensure that TCP port 22 is open on your network's firewalls, both inbound to the server and outbound from the client. Blocking this port will prevent SFTP connections.
- Security Best Practices: Due to its common use, port 22 is a frequent target for malicious scanning and brute-force attacks.
- Change Default Port: For enhanced security, some organizations choose to run SSH (and thus SFTP) on a non-standard port (e.g., 2222, 22222) instead of the default port 22. This practice is known as "port knocking" or "port obfuscation" and can help reduce automated attack attempts. However, it requires clients to know and specify the custom port.
- Strong Authentication: Always use strong passwords, and preferably public-key authentication, for SFTP/SSH access.
- IP Whitelisting: Restrict SSH/SFTP access to specific known IP addresses or networks.
- Disable Password Authentication: If possible, disable password authentication entirely and rely solely on SSH keys.
- Client Configuration: Most SFTP clients (like FileZilla, WinSCP, Cyberduck) default to using port 22. If your server uses a custom port, you will need to specify it in your client's connection settings.
In summary, SFTP does not introduce its own unique port. It leverages the well-established and secure communication channel provided by SSH on TCP port 22, making it a secure and widely adopted method for file transfers.
