I’m setting up a new computer and my firewall Little Snitch let me know that Syncthing established an outgoing TCP connection on port 22 (see attached screenshot).
I understand that Syncthing establishes lots of connections for the relay functionality, but port 22 looks very strange, as I would expect to use the upper ports to avoid requiring privileged credentials.
I installed syncthing using Homebrew.
Is this normal or am I being hacked? The connection is outgoing but I’m still a little paranoid.
This is normal. Your syncthing instance connects to a relay hosted by someone. Relays are provided by other users and they can run them on whatever port they like - this particular relay runs on port 22, the default port is 22067.
The list of all public syncthing relays is here: https://relays.syncthing.net/
As you can see, the IP address 188.8.131.52 port 22 is a relay, provided by “https://keybase.io/rany”.
You can fully disable relays if you like, or host your own private relay. Relays are usually slower anyway and are only intended as a fallback. You should always attempt to make your setup work without relays, if possible.
PS: Port 22 is the destination port. On Linux binding to a port < 1024 usually requires higher privileges, but the bind port equals the source port on outgoing data. The destination port is unaffected and as such any application may connect to a port < 1024 as long as the firewall let’s it through. Some users run their relay on port 443 to pass more firewalls, as this port is usually not blocked (https).
Awesome, thank you very much for your super informative answer!