I’m setting up a new computer and my firewall Little Snitch let me know that Syncthing established an outgoing TCP connection on port 22 (see attached screenshot).
I understand that Syncthing establishes lots of connections for the relay functionality, but port 22 looks very strange, as I would expect to use the upper ports to avoid requiring privileged credentials.
I installed syncthing using Homebrew.
Is this normal or am I being hacked? The connection is outgoing but I’m still a little paranoid.
This is normal. Your syncthing instance connects to a relay hosted by someone. Relays are provided by other users and they can run them on whatever port they like - this particular relay runs on port 22, the default port is 22067.
As you can see, the IP address 178.62.88.70 port 22 is a relay, provided by “https://keybase.io/rany”.
You can fully disable relays if you like, or host your own private relay. Relays are usually slower anyway and are only intended as a fallback. You should always attempt to make your setup work without relays, if possible.
PS: Port 22 is the destination port. On Linux binding to a port < 1024 usually requires higher privileges, but the bind port equals the source port on outgoing data. The destination port is unaffected and as such any application may connect to a port < 1024 as long as the firewall let’s it through. Some users run their relay on port 443 to pass more firewalls, as this port is usually not blocked (https).