Table of Contents
- Is the SFTP Port Always 22, and How Do You Connect If It’s Different?
- Solutions and Detailed Explanations
- The Standard Answer: Port 22
- The Technical Truth: SFTP Runs on the SSH Port
- Why a Server Administrator Might Change the SSH Port
- Automated Attacks
- Reducing “Noise”
- Security Through Obscurity
- How to Connect to an SFTP Server on a Custom Port
- Using a Command-Line Client
- Using a Graphical SFTP Client
- Resolving Protocol Confusion: SFTP vs. FTP vs. FTPS
- FTP (File Transfer Protocol)
- FTPS (FTP over SSL/TLS)
- SFTP (SSH File Transfer Protocol)
- A Historical Footnote: The Other SFTP on Port 115
Is the SFTP Port Always 22, and How Do You Connect If It’s Different?
A common question in IT and web development circles is whether SFTP uses port 21 or port 22. This confusion is understandable because the names of file transfer protocols sound very similar. You often hear about FTP, SFTP, and FTPS, and it is easy to mix them up. The core of the question is trying to find the correct “doorway,” or port number, to use when you need to transfer files securely.
People often assume that since the classic File Transfer Protocol (FTP) uses port 21, its “secure” version must use a nearby port or the same one. However, the reality is more nuanced. The answer involves understanding that SFTP is a fundamentally different system than FTP. Getting this right is crucial for establishing a successful and secure connection to a server to manage your files. This article will provide a clear and detailed explanation of what port SFTP uses, why it uses that port, and how it differs from other related protocols.
Solutions and Detailed Explanations
The answer to this question has both a simple version and a more detailed, technical one. For most everyday situations, a single answer will suffice. However, to truly understand how file transfers work and to troubleshoot potential connection issues, it is important to grasp the underlying technology.
The Standard Answer: Port 22
For a direct and simple answer, SFTP almost always uses port 22. This is the standard, default port that server administrators and software developers rely on for SFTP connections. If you are using a file transfer application and you select SFTP as the protocol, it will likely default to using port 22 without you needing to enter it.
This port is the correct choice in the vast majority of cases. The reason for this standard is tied to the protocol that SFTP depends on to function: the Secure Shell, or SSH, protocol.
The Technical Truth: SFTP Runs on the SSH Port
SFTP is not a standalone protocol that simply encrypts file transfers. Its full name is SSH File Transfer Protocol. This name reveals its true nature: SFTP is a subsystem that operates inside an encrypted SSH connection.
Think of it this way:
- SSH is like a secure, encrypted tunnel built between your computer and a server. It is designed to protect all data that passes through it. The standard entry point for this tunnel is port 22.
- SFTP is just one type of traffic that can be sent through that secure SSH tunnel. Once the tunnel is established, you can use it to transfer files with SFTP, or you could use it for other purposes, like running commands on the server remotely.
Because SFTP is a part of SSH, it does not have its own dedicated port. It simply uses whatever port the SSH service on the server is configured to listen on. While the worldwide standard for SSH is port 22, a server administrator has the full ability to change it.
Why a Server Administrator Might Change the SSH Port
If port 22 is the standard, why would anyone change it? The main reason is for basic security hardening.
Automated Attacks
Malicious bots and hackers constantly scan the internet for open servers. They specifically target common ports like port 22, looking for servers with weak passwords or unpatched vulnerabilities. An open port 22 signals that an SSH server is likely running and available to attack.
Reducing “Noise”
Even if a server is perfectly secure, these constant automated login attempts can fill up server logs with thousands of useless entries. This makes it harder for an administrator to spot genuine security issues.
Security Through Obscurity
By moving the SSH service to a different, non-standard port (like port 2222 or 49157), an administrator makes the server less visible to these automated scans. An attacker would have to scan all 65,535 possible ports to find the new SSH entry point, which is far more time-consuming. This is not a complete security solution on its own, but it serves as a simple and effective first line of defense.
If an administrator has changed the SSH port, you will not be able to connect using SFTP on port 22. You must get the correct port number from the server administrator to establish a connection.
How to Connect to an SFTP Server on a Custom Port
When you need to connect to an SFTP server that is not using the default port 22, you must specify the custom port number in your connection command or client software.
Using a Command-Line Client
If you are using the sftp command in a terminal on Linux or macOS, you can specify the port using the -oPort option. The syntax looks like this:
sftp -oPort=PORT_NUMBER [email protected]
For example, if the port is 2222, the user is calvyn, and the server is calvyn.com, the command would be:
sftp -oPort=2222 [email protected]
Using a Graphical SFTP Client
Most people use graphical applications like FileZilla, WinSCP, Cyberduck, or Transmit. All of these programs have a dedicated field in their connection manager for the port number. When you set up a new site connection, you will see fields for the hostname, username, password, and port. This field is usually pre-filled with 22 when you select SFTP, but you can simply type the correct custom port number into that box.
Resolving Protocol Confusion: SFTP vs. FTP vs. FTPS
The original confusion between ports 21 and 22 stems from the similarity in the names of the protocols. It is essential to understand that they are completely separate systems with different behaviors and security models.
FTP (File Transfer Protocol)
- Port: It uses port 21 for sending commands (like login requests and file listings).
- Security: It is completely insecure. All data, including usernames and passwords, is sent in plain text. Anyone monitoring the network can steal your credentials.
- How it Works: FTP uses a second, separate data channel to transfer the actual files. This can be complex to manage with modern firewalls, as it requires opening additional ports dynamically. It is an obsolete protocol for almost all use cases today.
FTPS (FTP over SSL/TLS)
- Port: It also uses port 21 (for explicit mode) or sometimes port 990 (for implicit mode).
- Security: This is the classic FTP protocol with a layer of SSL/TLS encryption added on top. It is secure, but the term often causes confusion. People sometimes call it “Secure FTP.”
- How it Works: FTPS retains the same command-and-data channel architecture as FTP. While the channels are encrypted, its reliance on multiple ports can still create firewall configuration challenges.
SFTP (SSH File Transfer Protocol)
- Port: It uses port 22 (or the custom SSH port).
- Security: It is highly secure. It operates over a single, encrypted SSH connection that protects both commands and data.
- How it Works: As a modern protocol, SFTP is much simpler and more firewall-friendly than FTP or FTPS. It uses only one port for the entire session. It is a completely different protocol, not just a “secure” version of FTP.
A Historical Footnote: The Other SFTP on Port 115
To add one final layer of detail, there is a historical protocol that can cause confusion. In 1984, a protocol named “Simple File Transfer Protocol” was defined and assigned to port 115. This protocol is completely unrelated to the modern SSH File Transfer Protocol. It is obsolete and has not been in use for decades. While you may occasionally see references to port 115 in very old documentation, it has no relevance to modern SFTP connections, which are built on SSH.