Port 1022: Exp2 — The Experimental Port That Became SSH's Backup Door

What This Port Is (According to IANA)

Port 1022 belongs to the well-known ports range (0-1023), which means it's in the tier that requires administrative privileges to use on Unix-like systems. It's officially assigned to something called exp2: RFC3692-style Experiment 2.¹ This is intentional. The IANA set aside port 1022 (along with a handful of others) as a designated sandbox for people testing new protocols or applications that need a low-numbered port but aren't ready for permanent assignment.²

The assignment is real, documented, and unambiguous. It's also almost never used for its intended purpose.

What It Actually Does

In practice, port 1022 is the other SSH port. When you want a secure shell but don't want your server to be hammered 24/7 by automated scanners looking for port 22, you move SSH to 1022. It's a small obscurity move—not security through obscurity exactly, more like security by moving the front door to a slightly quieter street.

This is such common practice that many security guides recommend it as a basic hardening step. Some organizations run SSH on both port 22 (for known clients) and port 1022 (for everything else). Port 1022 becomes your escape route: if someone compromises the main SSH daemon, you still have a way in.³

There is no RFC that says SSH should be on 1022. IANA didn't assign it there. It just... happened. Enough people needed an alternative SSH port that they chose the one right next to the official one. It was memorable. It worked.

The Pattern This Reveals

Port 1022 is a window into how the port system actually works versus how it's supposed to work. IANA maintains the official registry. They assign services to ports with formal documentation and stakeholder agreement. But the moment a port number gets into developers' hands, a shadow system emerges: de facto usage that may have nothing to do with the official assignment.

This happens at scale. Port 3128 is "officially" something called SqUID, but in practice it's become a signal for "HTTP proxy here." Port 5432 is PostgreSQL everywhere, even though the official assignment exists. Port 1022? It's the compromise between wanting a low-privileged port and wanting to stay off the grid.

How to Check What's Actually Using Port 1022

If you're running a server and want to know whether your SSH daemon, an experiment, or nothing at all is listening on 1022:

On macOS or Linux:

lsof -i :1022
netstat -tlnp | grep 1022
ss -tlnp | grep 1022

On Windows:

netstat -ano | findstr :1022
Get-NetTCPConnection -LocalPort 1022 | Format-Table

Remote checking (if you have access):

nmap -p 1022 target.example.com

Port scanners will find whatever is listening. What they find will probably be SSH. What IANA says should be there is an experiment that never materialized.

Why Unassigned (And Mis-Assigned) Ports Matter

The port system works because we have numbers (1-65535) and agreement about what each number means. When IANA says "this number is for X," everyone knows to expect X or to use Y if they need somewhere for X to hide.

But the system also works because it's flexible. Port 1022 can be exp2 on paper and SSH in practice, and the Internet doesn't break. This flexibility is what allows operators to respond to security threats faster than the formal process can move. The official assignment exists. It's documented. It's also irrelevant to anyone actually using port 1022 right now.

This is how living systems evolve. The formal structure persists. The practical structure grows around it.