diff --git a/CHANGELOG b/CHANGELOG
index 4e12fd7e5..7a03ffa3c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
#Nmap Changelog ($Id$); -*-text-*-
+o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
+ empirical data from Shodan.io, as well as the netconf-ssh service.
+ [Lim Shi Min Jonathan, Daniel Miller]
+
o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
desktop in macOS. [Roland Linder]
diff --git a/nselib/shortport.lua b/nselib/shortport.lua
index 7ca8e756c..bb0da9e19 100644
--- a/nselib/shortport.lua
+++ b/nselib/shortport.lua
@@ -292,6 +292,35 @@ function ssl(host, port)
return false
end
+local LIKELY_SSH_PORTS = {
+ -- Top ssh ports on shodanhq.com
+ 22,
+ 2222,
+ 55554,
+ --666, -- 86% SSH, but we'd like to be more certain.
+ 22222,
+ 2382,
+ -- And others reported by users
+ 830, -- netconf-ssh
+}
+
+-- This part isn't really necessary, since -sV will reliably detect SSH
+local LIKELY_SSH_SERVICES = {
+ 'ssh', 'netconf-ssh'
+}
+
+-- A portrule that matches likely SSH services.
+--
+-- @name ssh
+-- @class function
+-- @param host The host table to match against.
+-- @param port The port table to match against.
+-- @return true if the port is likely to be SSH,
+-- false otherwise.
+-- @usage
+-- portrule = shortport.ssh
+
+ssh = port_or_service(LIKELY_SSH_PORTS, LIKELY_SSH_SERVICES)
--- Return a portrule that returns true when given an open port matching a port range
--
diff --git a/scripts/ssh-auth-methods.nse b/scripts/ssh-auth-methods.nse
index 61249eb93..dd6621334 100644
--- a/scripts/ssh-auth-methods.nse
+++ b/scripts/ssh-auth-methods.nse
@@ -26,7 +26,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"auth", "intrusive"}
local username = stdnse.get_script_args("ssh.user") or rand.random_alpha(5)
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
function action (host, port)
local result = stdnse.output_table()
diff --git a/scripts/ssh-brute.nse b/scripts/ssh-brute.nse
index f71b09f62..d5f26a0a0 100644
--- a/scripts/ssh-brute.nse
+++ b/scripts/ssh-brute.nse
@@ -31,7 +31,7 @@ categories = {
'intrusive',
}
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or "5s"
diff --git a/scripts/ssh-hostkey.nse b/scripts/ssh-hostkey.nse
index 042d96691..5b5069777 100644
--- a/scripts/ssh-hostkey.nse
+++ b/scripts/ssh-hostkey.nse
@@ -139,7 +139,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe","default","discovery"}
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
postrule = function() return (nmap.registry.sshhostkey ~= nil) end
diff --git a/scripts/ssh-publickey-acceptance.nse b/scripts/ssh-publickey-acceptance.nse
index db903223b..a006325ed 100644
--- a/scripts/ssh-publickey-acceptance.nse
+++ b/scripts/ssh-publickey-acceptance.nse
@@ -46,7 +46,7 @@ local usernames = stdnse.get_script_args "ssh.usernames"
local knownbad = stdnse.get_script_args "knownbad"
local publickeys = stdnse.get_script_args "ssh.publickeys"
local publickeydb = stdnse.get_script_args "publickeydb" or nmap.fetchfile("nselib/data/publickeydb")
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
function action (host, port)
local result = stdnse.output_table()
diff --git a/scripts/ssh-run.nse b/scripts/ssh-run.nse
index 16522fc32..e91fdbefe 100644
--- a/scripts/ssh-run.nse
+++ b/scripts/ssh-run.nse
@@ -43,7 +43,7 @@ categories = {
'intrusive',
}
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
local username = stdnse.get_script_args 'ssh-run.username'
local cmd = stdnse.get_script_args 'ssh-run.cmd'
diff --git a/scripts/ssh2-enum-algos.nse b/scripts/ssh2-enum-algos.nse
index 1830c0b44..e634f62ee 100644
--- a/scripts/ssh2-enum-algos.nse
+++ b/scripts/ssh2-enum-algos.nse
@@ -103,7 +103,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
-- Build onto lists{} and possibly modify parsed{} based on whether the
-- algorithm name-lists are identical between the server-to-client and
diff --git a/scripts/sshv1.nse b/scripts/sshv1.nse
index b285cb698..260b2c7cd 100644
--- a/scripts/sshv1.nse
+++ b/scripts/sshv1.nse
@@ -19,7 +19,7 @@ categories = {"default", "safe"}
-- true
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
action = function(host, port)
local socket = nmap.new_socket()