For some organizations, due diligence or compliance leads to engaging security professionals to perform audits on their sites—sometimes along with penetration tests (pentests).
A common finding in these security audits is that Port 22 is open on the server and it should be closed.
The Simplest Recommendation
These reports are frequently automated checklist-audits that include one-size-fits-most, recommendations. For simplicity, the auditors do not delve into all options for resolving any findings, nor do they take the specific implementations on the servers into account.
This is not negligence on their part. They are simply providing the most clear-cut resolution to the issue.
However, it’s possible to safely operate a website without closing Port 22.
Port 22: What is it and Why is it Open?
What is Port 22?
Port 22 is the default connection port over which web developers and IT staff connect to web servers using SSH (Secure Shell) or SFTP (Secure File Transport Protocol).
Why is it Open?
Web developers and site managers will connect to their websites using SSH and/or SFTP to perform regular maintenance, upload or modify files such as images and media, upload videos, use advanced server features, set up scheduled tasks and review error logs. You can see how people use SSH and SFTP in MODX Cloud.
Limiting Risk: Open with Protections
The primary concerns of having Port 22 open are to prevent unauthorized access, brute force attacks (where attackers use automation to try passwords until they succeed), or DDoS attacks (where attackers flood a port with connections to prevent the site from working).
Mitigations
MODX Cloud uses a variety of effective mitigations to prevent any of those problems from occurring.
DDoS Protection
Our infrastructure provider, IBM Cloud, provides multiple network-level DDoS (Dedicated Denial of Service attacks) protections in its data centers. Some of these protections include blocking any automated attack that exceeds a certain volume of connections per second or request sizes to prevent overwhelming the network or server.
Further, security-minded website owners should deploy a WAF (web application firewall) that also includes DDoS protection and mitigation, such as our Cloud Edge add-on, powered by Cloudflare Enterprise. While not specific to port 22, this will help protect web traffic (port 443) against malicious visitors and/or overly aggressive bots.
Login Failure Limits and Blocks
MODX Cloud has access- and rate-limiting protections in place for connections over port 22. We have a very low threshold for failed login attempts. When someone tries to log in unsuccessfully more than a handful of times, their IP will be blocked temporarily. Persistent or volumetric attempts may end up with a combination of permanent blocks and or triggering a DDoS protection threshold on the network.
No Root Access
Customers logged into servers powering their Cloud instances do not have root or sudo access.
Strong Passwords or SSH Keys
Cloud instances have individual, controlled access via username/password combination or SSH Keys. On newly created Clouds, passwords are 20 characters of upper and lowercase letters, numbers, and special characters. SSH passwords can be changed to use up to 30 characters and no fewer than 12 characters, following NIST recommendations. Passwords of this length are incredibly secure and may be changed at any time inside the MODX Cloud dashboard for individual Cloud instances.
Increasing password complexity increases the dificulty to crack. This article from Hive Systems shows how longer/more complex passwords increase the time it takes to find a match. That is, if it could keep trying over and over again without interruption using high-powered, clusters of systems. Remember, as we mentioned above, failed logins lead to temporary and then permanent bans. It's practically impossible to gain access using a longer, mixed-character password.
Future Plans: Disabled Password Access
We're planning on optionally turning off password access and restricting access to only SSH Keys, however, we do not have a timeline for this.
If it’s Absolutely Required for Compliance
If your organization is regulated or is required to comply with very stringent standards, it is possible to accommodate closing Port 22 on Private Platforms.
Security is a Pillar of MODX Cloud
MODX Cloud prides itself on providing secure, high-speed, business web hosting with incredible customer support. We configure our servers and systems to use the highest practical level of security while ensuring our customers and their teams can effecitvely manage their web properties.
Still Have Questions About Port 22?
If you still have questions about Port 22 or any other security concern, please submit a support ticket and we'll gladly answer any outstanding questions.