Port 1222: nerv (SNI R&D network) — The forgotten assignment hiding SSH traffic

What Runs on Port 1222

Port 1222 has an official IANA registration for a service called "nerv" - described as "SNI R&D network."¹ But here's the truth: almost nobody uses port 1222 for its official purpose. Instead, this port is commonly used as an alternative SSH port.²

When you see port 1222 open on a server, it's probably SSH. Not nerv. Not SNI R&D network. Just SSH that someone moved from port 22.

Why Move SSH to Port 1222?

Port 22 is the standard SSH port. Every automated scanner on the Internet knows this. They hammer port 22 constantly - trying credentials, looking for vulnerabilities, filling up logs with failed authentication attempts.

Moving SSH to port 1222 is security through obscurity. It doesn't make SSH more secure - the encryption is identical. But it does make your server quieter. The bots scanning port 22 won't find you. Your logs become readable again.

This doesn't replace real security - you still need strong keys, disabled password authentication, fail2ban, all of it. But it removes the noise.³

The Registered Service: nerv

The official assignment is for "nerv" (SNI R&D network). SNI likely refers to Siemens Nixdorf Informationssysteme, a German computer company that was prominent in the 1990s. The service name "nerv" and what it actually did remain obscure - there's minimal public documentation about this protocol.

This is common with older registered ports. A company or research project requested the assignment, used it for internal purposes, and it's been sitting in the registry ever since - officially claimed but practically unused.

Security Considerations

If you're running SSH on port 1222:

• This is not a substitute for proper SSH hardening
• Key-based authentication is still required
• Disable password authentication
• Keep SSH updated
• Use fail2ban or similar tools
• Remember: obscurity is not security, it's just peace and quiet

If you're scanning port 1222:

• Treat it like any SSH service
• The protocol is identical to port 22
• Don't assume security through obscurity means weak security

How to Check What's Listening on Port 1222

On Linux or macOS:

sudo lsof -i :1222
sudo netstat -tlnp | grep 1222

On Windows:

netstat -ano | findstr :1222

To connect via SSH if the service is running on port 1222:

ssh -p 1222 user@hostname

The Port Range

Port 1222 falls in the registered ports range (1024-49151). These ports are assigned by IANA for specific services, but unlike well-known ports (0-1023), they don't require root privileges to use. This makes them popular for both official services and alternative configurations of standard services.

Related Ports

• Port 22 - SSH (standard port)
• Port 2222 - Another common alternative SSH port
• Port 8022 - EthernetIP-2, but also used for SSH
• Port 2200-2299 - Range sometimes used for SSH alternatives