Port 2022: Xinuexpansion2 — An Old Claim, a Common Workaround

What Port 2022 Is

Port 2022 sits in the registered ports range (1024–49151). These ports are assigned by IANA for specific services but don't require root privileges to open — any process can bind to them. Unlike the well-known ports below 1024, registered ports are workhorses: some carry major protocols (like 3306 for MySQL), others hold reservations for services long since forgotten.

Port 2022 holds one of those old reservations.

The Official Registration: Xinuexpansion2

IANA lists port 2022 as xinuexpansion2 on both TCP and UDP.¹

XINU stands for "Xinu Is Not Unix" — a recursive acronym invented at Purdue University in the 1980s. Douglas Comer created it as a small, elegant teaching operating system, designed to show how a complete OS with networking could fit in roughly 10,000 lines of code.² The name is also "Unix" spelled backwards, which tells you something about the culture of the era.

During the early Internet, Purdue reserved a cluster of ports for XINU's network services: xinupageserver on 2020, xinuexpansion1 on 2021, xinuexpansion2 on 2022, and so on through 2024.³ These were probably placeholders for a distributed computing infrastructure that was being actively designed at the time.

XINU still exists — Purdue maintains it for embedded systems education — but xinuexpansion2 as a live network service is effectively extinct. The reservation remains because IANA doesn't reclaim ports; it only assigns them. The Internet still honors reservations from 40 years ago.

What Actually Runs Here

In practice, port 2022 is most commonly encountered as an alternate SSH port.

Sysadmins have long moved SSH off port 22 to reduce automated scanning. Bots continuously hammer port 22 with brute-force login attempts; changing the port eliminates most of that noise. Port 2022 is a popular choice — it's memorable (just 22 with a 20 prefix), in the registered range, and the official service it's named for generates zero traffic.

This is "security through obscurity," and the security community is divided on its value. Moving SSH does dramatically reduce automated attacks — mostly because bots target port 22 specifically. A determined attacker running a full port scan won't be stopped. But for reducing log noise and brute-force attempts, it works.⁴

Port 2022 also appears occasionally in:

• Development and staging SSH servers on shared infrastructure, where port 22 is reserved for production
• CI/CD pipelines and container environments that need a secondary SSH endpoint
• Honeypots mimicking alternate SSH configurations

How to Check What's Listening on Port 2022

On Linux/macOS:

# See what process is bound to port 2022
ss -tlnp | grep 2022

# Or with netstat
netstat -tlnp | grep 2022

# Check if anything is listening (no process details)
lsof -i :2022

On Windows:

netstat -aon | findstr :2022

The process ID in the output can be matched to a process name in Task Manager or with tasklist.

From outside the machine:

# Simple connectivity test
nc -zv hostname 2022

# Check if SSH is responding
ssh -p 2022 user@hostname

Why Unassigned-in-Practice Ports Matter

Port 2022 illustrates something important about how the port system works: official registration and actual use are different things.

IANA's registry is a namespace — a way to prevent collisions. But namespaces don't enforce themselves. When a registered service goes dormant, the port doesn't disappear; it stays assigned. Other services fill the vacuum, sometimes for decades, operating outside any official record.

This matters for security: when you see traffic on an unfamiliar port, the official IANA name is a starting point, not an answer. xinuexpansion2 tells you almost nothing about what's actually running. Always verify.