← Back to blog
Zero Trust May 28, 2026 · 6 min read

SSH without a single open port

How an outbound-only agent tunnel lets you reach every host while port 22 stays closed to the internet.

Every server exposed to the internet is a target. The moment you open port 22 to accept SSH connections, you've published an address that the entire world can probe — and they do, relentlessly. Bots scan the IPv4 space continuously, hammering exposed SSH daemons with credential-stuffing attempts around the clock.

The standard mitigations — IP allowlists, fail2ban, bastion hosts, VPNs — all reduce the blast radius, but they share one assumption: that the host must listen for inbound connections. Subnomic takes a different stance. What if the host never listened at all?

The inbound problem

A listening port is a standing invitation. Even with key-only authentication, an exposed SSH service leaks information, consumes resources fielding junk traffic, and represents a single CVE away from compromise. Bastion hosts centralize the risk into one box, but that box still listens — and once an attacker is through it, your whole fleet is reachable.

If nothing listens, there is nothing to attack from the outside.

Outbound-only by design

The Subnomic agent runs on each host and establishes an outbound, mutually-authenticated connection to the control plane. No inbound firewall rule is required. Port 22 — and every other management port — stays closed to the internet. The connection is initiated from inside your network, the same way a laptop reaches a website.

When an operator wants to connect, the request flows through the control plane and is multiplexed back down the tunnel the agent already opened. The host responds over the existing channel. At no point does it accept a fresh inbound connection from an untrusted source.

# Traditional: the host listens, the world knocks
client ──▶ :22 (open to internet) ──▶ sshd

# Subnomic: the host dials out, nothing listens
agent ──▶ control plane (outbound TLS) ◀── operator

What this buys you

  • Zero attack surface — there is no open port to scan, fingerprint or exploit.
  • No bastion to harden — the tunnel is brokered, not a box you have to patch and babysit.
  • Works behind NAT — because the agent dials out, hosts in private networks need no inbound routing.
  • Identity at the edge — every connection is tied to a verified actor before a byte of SSH traffic flows.

But is it still SSH?

Yes. Subnomic doesn't replace the SSH protocol — your existing tooling, keys-of-record and muscle memory keep working. We change the transport, not the protocol. The session is end-to-end and every keystroke is recorded for replay, so you also get a complete audit trail for free.

Closing the last port

Zero Trust isn't a slogan — it's the practical recognition that the network perimeter no longer exists. Closing port 22 entirely, and brokering every connection through verified identity, removes an entire category of attacks before they can begin.

Want to see it on your own fleet? Book a demo or join the waitlist.

Enjoyed this? Read more on the Subnomic blog.