What Is an SFTP Port and Why Does It Matter?

If you need to establish a secure connection between a client and server to transfer business-critical or sensitive files, an SFTP (Secure File Transfer Protocol) port is a strong choice for securing data in transit. The SFTP port is a network port used to establish a secure connection or communication channel between the client and the server.  It ensures that during transit, data is encrypted and protected.

By default, this network port operates over port 22 – which is also used by SSH (Secure Shell). SSH is a widely used protocol to secure network communications and file transfers. Using a combination of asymmetric and symmetric cryptology, SSH provides strong encryption and optimal performance.

Related Reading: FTP vs FTPS vs SFTP: Which Protocol Should You Use and When

Advantages of Using an SFTP Port for Secure File Transfers

SFTP has several benefits over older, less secure ports such as FTP, including:

• In-transit encryption: Transferring data via SFTP port 22 (or a customized port) gives you the assurance that information (including login credentials) is encrypted while it is in motion.
• Single-port ease: Requiring only one port makes it easier to manage transfers in secure or firewalled environments.
• Multi-platform support: SFTP has broad support across all operating systems.
• Data integrity: With SFTP, data cannot be altered or corrupted during transfer as there are cryptographic checks performed.
• Compliance: The built-in encryption standards can help satisfy stringent requirements regarding how sensitive data is handled.
• Authentication: Password, public key authentication via SSH, or both password and public SSH key are required, which provides more security than FTP logins, which are plaintext.
• Access is controlled: As the SFTP runs over SSH, the robust permissions, login tools, and other user management used with SSH can also used with SFTP.
• Flexibility: To help prevent automated attacks targeting port 22, the SFTP port can be changed to an uncommon port, like 2222.

Best Practice: Use Custom Ports vs Default Port

Default port 22, while typically safe, can also be a high-profile target for cybercriminals as it is the “obvious” one. Security best practices for using SFTP include:

• Changing the default port 22 to a custom port
• Establishing and updating your firewall settings to allow traffic through the selected port

• Ensuring that your SFTP server and client are in alignment

  For even better security, we recommend using a reverse proxy, which allows external users to come in and be 'routed' to the MFT server, which sits behind another firewall. For example, a user could connect to the DMZ server using port 22 but be routed to the MFT server using port 2222. And, if using a secure proxy gateway, such as GoAnywhere Gateway, no inbound ports are needed into the MFT server. This is because the Gateway is tightly integrated with the MFT server. The MFT server maintains a back channel that originates from inside the secure network, out to the reverse proxy which is in the DMZ. It uses that open channel to setup connections for new SFTP sessions.

Potential Disadvantages of the SFTP Port

If needed, SFTP can be configured to use a different port, but the default port 22 is standard and recommended for security of file transfers. However, reasons organizations might want to use a different port than the default one, include:

• To avoid attacks set to automatically target port 22
• To prevent conflicts if another service is already using port 22, or if there are simultaneous SSH/SFTP services running on one network
• To meet compliance or policy requirements to use non-default ports, which can help reduce attack surfaces
• To separate network traffic if multiple services are using SSH

Still, using a singular port with SFTP is a more secure option than FTPS, which requires several ports to be open: Port 21 for control commands and port 20, or a range of higher order ports, for data transfer.

Requiring multiple ports opens organizations up to more risks, such as a broader attack surface, which creates multiple points of vulnerability. 

Adding ports also adds to the complexity for firewall configuration and can make auditing and logging more cumbersome.

How does MFT Support SFTP?

A robust managed file transfer (MFT) solution, such as GoAnywhere MFT, can automate, streamline, and secure SFTP data transfers. Plus, delivery of managed SFTP transfers are guaranteed, with automatic retries of connections, auto resume of any interrupted transfers, as well as integrity checks of all transfers. 

Organizations can benefit from GoAnywhere’s platform-agnostic solution as well as the option to deploy on-premises, to the cloud, within a hybrid environment, and via MFTaaS.