What port does SFTP use? Quick Answer: SFTP uses port 22 by default – the same port used by SSH (Secure Shell). This is because SFTP runs as a subsystem of SSH, making it inherently secure and encrypted.
Understanding SFTP and Its Default Port
SFTP (SSH File Transfer Protocol) is a secure file transfer protocol that provides encrypted file access, transfer, and management functionality over a network connection. Unlike FTP, which uses separate ports for commands and data transfer, SFTP uses a single port for all communications.
Why Port 22?
SFTP uses port 22 because it operates as an extension of the SSH protocol. When you connect to an SFTP server, you establish an SSH connection first, then invoke the SFTP subsystem within that secure channel. This design provides several advantages:
- Single port simplicity: Only one port needs to be opened in firewalls
- Built-in encryption: All data is encrypted by default using SSH’s encryption
- Authentication flexibility: Supports both password and key-based authentication
- No separate data channel: Unlike FTP, all communication happens through one connection
SFTP vs. FTPS: Understanding Port Differences
It’s important not to confuse SFTP with FTPS (FTP over SSL/TLS), as they use different ports:
Protocol | Control Port | Data Port | Description |
---|---|---|---|
SFTP | 22 | (same as control) | SSH File Transfer Protocol |
FTPS (Explicit) | 21 | Dynamic high port | FTP over TLS/SSL |
FTPS (Implicit) | 990 | (same as control) | Legacy secure FTP |
FTP | 21 | 20 (Active Mode) | Standard insecure FTP |
Configuring Custom SFTP Ports
While port 22 is the default, you can configure SFTP to use a different port for enhanced security or to avoid conflicts. Here’s how to do that with a standard SSH server:
On Linux/Unix Systems
- Edit the SSH configuration file:
bash
sudo nano /etc/ssh/sshd_config
- Find or add the Port directive:
Port 2222 # Custom port number
- Restart the SSH service:
bash
sudo systemctl restart sshd
For SFTP Gateway
To configure SFTP ports on SFTP Gateway from Thorn Technologies, use this documentation from our Knowledge Base: Changing the Default SFTP Port · SFTP Gateway Support.
Security Considerations for Custom Ports
Using a non-standard port can provide some benefits:
- Reduced automated attacks: Many bots only scan default ports
- Avoiding port conflicts: Useful if port 22 is already in use
- Compliance requirements: Some organizations mandate non-standard ports
However, remember that security through obscurity is not a complete solution. Always implement proper authentication and access controls.
Connecting to SFTP on Different Ports
When connecting to an SFTP server on a non-standard port, you’ll need to specify the port number:
Command Line Examples
# Using sftp command
sftp -P 2222 username@hostname
Popular SFTP Clients
Most SFTP clients allow you to specify custom ports:
- FileZilla: Enter the port in the “Port” field
- WinSCP: Include port in the host field (hostname:port) or use the dedicated port field
- Cyberduck: Specify port in the connection dialog
- PuTTY: Enter port number in the configuration window
Firewall Configuration for SFTP
To allow SFTP connections through a firewall, you need to open the appropriate port:
Linux (iptables)
# Allow incoming SFTP on default port
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow incoming SFTP on custom port
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
Windows Firewall
# Allow SFTP on port 22
New-NetFirewallRule -DisplayName "SFTP" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow
Cloud Firewall Configuration for SFTP
In cloud environments, SFTP access is typically controlled through cloud security groups or network security groups (NSGs) rather than traditional OS-level firewalls. For specific port requirements when using SFTP Gateway, including port 22 and other necessary ports, check out this Knowledge Base article on ports and protocols for SFTP Gateway.
Troubleshooting SFTP Port Issues
Common problems and solutions when dealing with SFTP ports:
Port Already in Use
Check what’s using the port:
# Linux
sudo netstat -tlnp | grep :22
# Windows
netstat -an | findstr :22
Connection Refused
- Verify the SSH/SFTP service is running
- Check firewall rules
- Confirm the correct port number
- Test connectivity:
telnet hostname 22
Timeout Issues
- Check for intermediate firewalls blocking the port
- Verify network connectivity
- Consider MTU size issues for slow connections
Best Practices for SFTP Port Management
- Document port changes: Always document non-standard ports in your system documentation
- Use strong authentication: Combine port changes with key-based authentication
- Monitor access logs: Regularly review SSH/SFTP access logs
- Implement fail2ban: Protect against brute force attacks
- Keep software updated: Regularly update SSH server software
Advanced SFTP Port Configuration
These advanced configurations can help in specific enterprise scenarios:
Port Forwarding
Port forwarding through SSH tunnels is useful when you need to access SFTP servers behind firewalls or in private networks:
ssh -L 2222:internal-server:22 jump-host
sftp -P 2222 localhost
Use case: Accessing internal SFTP servers through a bastion host without exposing them directly to the internet.
Multiple Ports
Configure SSH to listen on multiple ports when you need to support different client configurations or migration scenarios:
Port 22
Port 2222
Use case: Gradually migrating clients from one port to another without service interruption.
Port Knocking
Implement port knocking for additional security before exposing the SFTP port.
Conclusion
SFTP uses port 22 by default, leveraging the secure SSH protocol for encrypted file transfers. While you can configure custom ports for specific needs, the default port 22 remains the standard for most implementations. Whether setting up an SFTP server or connecting as a client, understanding port configuration is crucial for successful and secure file transfers.
Remember that changing the default port is just one aspect of securing your SFTP server. Always implement comprehensive security measures including strong authentication, regular updates, and proper access controls to ensure your file transfer operations remain secure.
Key Takeaways
- SFTP default port: 22 (TCP)
- Same port as SSH because SFTP runs over SSH
- Can be customized in SSH server configuration
- Different from FTPS which uses ports 990 or 21
- Single port for all communication (unlike FTP)
- Always use encryption and strong authentication regardless of port choice
Simplify SFTP Management with SFTP Gateway
Managing SFTP servers, ports, and user access can become complex, especially in cloud environments. SFTP Gateway by Thorn Technologies provides a managed SFTP solution that simplifies these challenges:
How SFTP Gateway Helps
- Automated port management: No need to manually configure or maintain SSH/SFTP ports
- Cloud-native design: Seamlessly integrates with AWS S3, Azure Blob, and Google Cloud Storage
- Enhanced security: Built-in key management and access controls
- User-friendly interface: Manage SFTP users without SSH configuration files
- High availability: Automated failover and load balancing
- Compliance ready: Meets regulatory requirements with audit logging and encryption
Instead of managing traditional SFTP servers and worrying about port configurations, firewall rules, and SSH hardening, SFTP Gateway provides a turnkey solution that handles the complexity for you. Users connect on the standard SFTP port 22, while the backend automatically manages secure file storage in your cloud environment.
Learn more about SFTP Gateway and how it can simplify your secure file transfer needs while maintaining the familiar SFTP protocol your users already know. Ready for a deeper look? Check out the free white paper SFTP Gateway for the Enterprise.