Secure Copy with Non-Standard Ports

The scp (Secure Copy) command is a fundamental tool for securely transferring files between computers. By default, scp connects to the SSH daemon on the standard port 22. However, for security or network configuration reasons, SSH servers are often configured to listen on a different port. This tutorial explains how to use scp to connect to SSH servers running on non-standard ports.

Understanding the `scp` Command and Port Specification

The scp command relies on the SSH protocol for secure data transfer. It’s essential to specify the correct port number when the SSH server isn’t listening on the default port 22. The key to specifying the port lies in using the correct option.

Unlike some other command-line tools, scp differentiates between options related to preservation and port specification. The -p option is reserved for preserving file modification times, access times, and modes. To specify the port number, you must use the uppercase -P option.

Using the `-P` Option

The syntax for using the -P option is straightforward:

scp -P <port_number> <source_file> <user>@<host>:<destination_path>

<port_number>: The port number the SSH server is listening on.
<source_file>: The file or directory you want to copy.
<user>: The username on the remote server.
<host>: The hostname or IP address of the remote server.
<destination_path>: The directory on the remote server where you want to copy the file.

Example:

To copy a file named report.txt from your local machine to the /home/user/documents directory on a remote server with the hostname myserver.com listening on port 80, you would use the following command:

scp -P 80 report.txt [email protected]:/home/user/documents

To copy a directory recursively from a remote server to the current local directory:

scp -P 80 [email protected]:/path/to/remote/directory .

A More Persistent Solution: The SSH Configuration File

For frequent connections to the same server on a non-standard port, managing the port number directly in the scp command can become tedious. A more elegant solution is to configure the SSH client using the ~/.ssh/config file.

This file allows you to define settings for specific hosts, including the port number. If the file doesn’t exist, you can create it. Open (or create) ~/.ssh/config with a text editor and add a section like this:

Host myserver
    HostName myserver.com
    Port 80
    User username

Host: An alias you choose for the server. You’ll use this alias in your scp commands.
HostName: The actual hostname or IP address of the server.
Port: The port number the server is listening on.
User: The username you want to use when connecting.

After saving the configuration, you can use scp with just the alias:

scp myserver:/path/to/remote/file .

The SSH client will automatically use the configured port and username. This simplifies your commands and improves readability. You can also use any name you chose for ‘Host’ as an alias, making it even more convenient.

Best Practices and Additional Considerations

Security: While changing the SSH port can offer a minor layer of security by obscurity, it shouldn’t be relied upon as a primary security measure. Strong authentication methods like SSH keys are far more effective.
Firewall Rules: Ensure your firewall allows traffic on the configured port.
netstat: To determine the port an SSH daemon is listening on, you can use the netstat command:
```
sudo netstat -tnlp | grep sshd
```
Or a more readable version:
```
sudo netstat --tcp --numeric-ports --listening --program | grep sshd
```

This command displays the listening ports associated with the sshd process.

By following these guidelines, you can confidently use scp to securely transfer files between computers, even when SSH servers are configured to listen on non-standard ports.