Port 2222 carries two identities. Officially, IANA registered it for EtherNet/IP, an industrial automation protocol that controls factory machinery.1 Unofficially, it has become the most common alternate port for SSH, used by millions of servers, Docker containers, and honeypots worldwide.
This is a story about what happens when an entire industry decides to hide in the same place.
The Official Story: Industrial Automation
EtherNet/IP (where "IP" stands for "Industrial Protocol," not "Internet Protocol") uses port 2222 for UDP implicit messaging, the time-critical traffic that keeps industrial machinery synchronized.2 Developed by Rockwell Automation and managed by ODVA, this protocol runs assembly lines, monitors sensors, and coordinates the physical machines that manufacture everything from automobiles to pharmaceuticals.
When a robot arm needs to know where to move in the next millisecond, that command might flow through port 2222. TCP port 44818 handles the slower explicit messaging, but port 2222 carries the real-time heartbeat of the factory floor.3
The Unofficial Truth: SSH's Shadow
But if you see port 2222 open on the Internet, it's almost certainly not controlling a factory. It's SSH.
The story goes back to 1995, when Tatu Ylönen at Helsinki University of Technology witnessed a password-sniffing attack that captured thousands of credentials flying across the network in plaintext.4 He created SSH to encrypt remote connections, and IANA assigned it port 22, conveniently nestled between FTP (21) and Telnet (23).5
Port 22 became one of the most valuable ports on the Internet, and one of the most attacked. Automated scanners hammer it constantly, testing default passwords, looking for misconfigurations, hunting for a way in.
So administrators started moving SSH to other ports. And when you need a number that's easy to remember but not the default, 2222 is obvious. It's just 22 with a stutter.
The Security Theater
Moving SSH to port 2222 provides one genuine benefit: it reduces log noise from automated scanners. Studies show that running SSH on a non-standard port can reduce brute-force attempts by over 90%.6 Most bots only scan port 22.
But here's the problem: 2222 has become so popular as an SSH alternate that sophisticated scanners now check it too.7 The SSH honeypot Cowrie runs on port 2222 by default because attackers already know to look there.8
The security community calls this "security through obscurity," and it's a controversial practice. Changing the port doesn't make SSH more secure. A determined attacker will find it through a full port scan. The real protection comes from key-based authentication, fail2ban, and proper firewall rules.9
There's a deeper problem too. Ports below 1024 are "privileged ports" that only root can open. Port 2222, being above 1024, can be opened by any user. This means a malicious user on a shared system could potentially run a fake SSH server on port 2222 to capture passwords before the real server starts.10
The Docker Convention
Port 2222 found its modern calling with Docker containers. When you run a Git server like Gitea or GitLab in a container, the container wants port 22 for SSH access to repositories. But the host machine is already using port 22 for administrative access.
The solution became a convention: map port 2222 on the host to port 22 in the container.11 Now git clone ssh://git@server:2222/repo.git pulls from your self-hosted Git server while ssh server still connects to the host itself.
This pattern is so common that Gitea's documentation uses 2222 as the default example.12 It has become the unofficial "containerized SSH" port.
The Honeypot Haven
Because 2222 is known to be an SSH alternate, it's also the perfect port for honeypots, decoy systems designed to attract and study attackers.
Cowrie, one of the most popular SSH honeypots, listens on port 2222 by default.13 It logs every username, password, and command that attackers attempt. Security researchers move their real SSH to a high random port and let the honeypot sit on 2222, collecting intelligence on automated attacks.
The attackers who scan 2222 thinking they've found a hidden SSH server are actually being studied.
Security Considerations
If you're running SSH on port 2222, understand what it does and doesn't provide:
What it provides:
- Dramatically reduced log noise from port 22 scanners
- Some protection against the most basic automated attacks
- Convenience for containerized services
What it doesn't provide:
- Actual security against determined attackers
- Protection against full port scans
- The privileged port protection of ports below 1024
The real security for SSH comes from:
- Disabling password authentication entirely (use SSH keys)
- Disabling root login
- Using fail2ban to block repeated failed attempts
- Restricting access by IP address when possible
- Keeping SSH updated
If you're hiding from the amateur scanners, 2222 works. If you're hiding from professionals, pick a random port above 10000 and don't tell anyone.
Related Ports
| Port | Service | Relationship |
|---|---|---|
| 22 | SSH | The original, IANA-assigned SSH port |
| 222 | Another common SSH alternate | Less popular than 2222 |
| 23 | Telnet | What SSH replaced (unencrypted) |
| 21 | FTP | SSH's neighbor, also unencrypted |
| 44818 | EtherNet/IP explicit messaging | Industrial protocol sibling |
| 443 | HTTPS | Another encrypted protocol, for web traffic |
Frequently Asked Questions
Was this page helpful?