Secure shell (SSH) is a client and server application designed for logging into and executing commands on a remote computer, similar in application to telnet, rlogin, and rsh. SSH, however, provides secure encrypted communications between two hosts. Arbitrary TCP ports can be forwarded over SSH, as well as files that can be transferred using the associated scp or sftp programs. The standard TCP port for SSH is 22.
Users of the SSH application may also designate non-standard TCP ports for transport of the SSH session, or utilize HTTP or SOCKS proxies to encapsulate the SSH traffic. In these cases, clients will typically configure SSH to utilize standard HTTP ports as an alternative to the standard TCP port 22 as specified for SSH traffic.
allow standard HTTP ports, and various proxy solutions, to traverse perimeter firewalls, allowing clients to utilize this technique to disguise and permit SSH traffic, circumventing perimeter access policies. The use of SSH over non-standard ports does not present a risk, but disguising any protocol to create otherwise restricted access can constitute a policy violation, and potentially create a security exposure due to various vulnerabilities in the SSH application.
SSH also allows arbitrary port forwarding (tunneling), presenting an opportunity to disguise other network traffic from inspection, policies, and enforcement.
Software configuration policy enforcement and IPS signature detection of SSH traffic configured on non-standard ports are effective tools to
control and detect the use of SSH over non-standard TCP ports.