Common network ports

Quick Reference

Port Range

0 – 65535

Well-Known Ports

0 – 1023

Registered Ports

1024 – 49151

Dynamic / Ephemeral

49152 – 65535

Transport Protocols

Every port is associated with a transport layer protocol. Understanding the difference is essential for firewall rules and troubleshooting.

Protocol	Full Name	Connection	Reliability	Typical Use
TCP	Transmission Control Protocol	Connection-oriented (3-way handshake)	Guaranteed delivery, ordered	HTTP, SSH, FTP, SMTP
UDP	User Datagram Protocol	Connectionless	No guarantee, no ordering	DNS, DHCP, SNMP, VoIP

Firewall rule tip: When writing firewall rules, always specify both the port number AND the protocol (TCP/UDP). Port 53 TCP and port 53 UDP are technically different rules — DNS uses both depending on payload size.

Well-Known Ports (0–1023)

Assigned by IANA and require root/administrator privileges to bind on most operating systems. These are the ports every sysadmin must know by memory.

Port	Protocol	Service	Full Name	Notes
`20`	TCP	FTP-DATA	File Transfer Protocol (data)	Active mode data channel
`21`	TCP	FTP	File Transfer Protocol (control)	Control channel; use SFTP instead
`22`	TCP	SSH	Secure Shell	Remote access, SFTP, SCP tunnels
`23`	TCP	Telnet	Telnet	Unencrypted — avoid in production
`25`	TCP	SMTP	Simple Mail Transfer Protocol	Server-to-server mail; often blocked by ISPs
`53`	TCP/UDP	DNS	Domain Name System	UDP for queries; TCP for zone transfers / large responses
`67`	UDP	DHCP	Dynamic Host Configuration Protocol	Server listens; client sends from port 68
`68`	UDP	DHCP	Dynamic Host Configuration Protocol	Client port
`69`	UDP	TFTP	Trivial File Transfer Protocol	PXE boot, network device configs
`80`	TCP	HTTP	Hypertext Transfer Protocol	Unencrypted web traffic
`110`	TCP	POP3	Post Office Protocol v3	Email retrieval; downloads and deletes from server
`123`	UDP	NTP	Network Time Protocol	Time synchronization — critical for Kerberos/TLS
`143`	TCP	IMAP	Internet Message Access Protocol	Email retrieval; keeps mail on server
`161`	UDP	SNMP	Simple Network Management Protocol	Polling/monitoring; port 162 for traps
`162`	UDP	SNMP Trap	SNMP Trap Receiver	Unsolicited alerts from devices to manager
`389`	TCP/UDP	LDAP	Lightweight Directory Access Protocol	Directory queries (AD, OpenLDAP)
`443`	TCP	HTTPS	HTTP over TLS/SSL	Encrypted web traffic — modern standard
`445`	TCP	SMB	Server Message Block	Windows file sharing, Active Directory
`465`	TCP	SMTPS	SMTP over TLS (implicit)	Legacy; superseded by STARTTLS on 587
`514`	UDP	Syslog	System Logging Protocol	Log forwarding; TCP 514 also common
`587`	TCP	SMTP (submission)	Mail Submission Agent	Client-to-server mail with STARTTLS
`636`	TCP	LDAPS	LDAP over SSL	Encrypted directory queries
`993`	TCP	IMAPS	IMAP over SSL	Encrypted IMAP
`995`	TCP	POP3S	POP3 over SSL	Encrypted POP3

Highlighted rows mark the most commonly encountered ports in day-to-day sysadmin work.

Common Registered Ports (1024–49151)

Assigned to specific applications by IANA. Do not require root privileges. These appear constantly in production infrastructure.

Port	Protocol	Service	Notes
`1433`	TCP	MS SQL Server	Microsoft SQL Server default instance
`1434`	UDP	MS SQL Browser	SQL Server Browser service for named instances
`1521`	TCP	Oracle DB	Oracle Database listener default port
`3306`	TCP	MySQL / MariaDB	Default database port; restrict to localhost or VPN
`3389`	TCP	RDP	Windows Remote Desktop Protocol; high-value attack target
`4444`	TCP	Metasploit	Default Metasploit listener — flag in traffic analysis
`5432`	TCP	PostgreSQL	Default PostgreSQL port
`5900`	TCP	VNC	Virtual Network Computing remote desktop; display :0
`5985`	TCP	WinRM HTTP	Windows Remote Management (PowerShell Remoting)
`5986`	TCP	WinRM HTTPS	Windows Remote Management over TLS
`6379`	TCP	Redis	Redis in-memory store; never expose to internet without auth
`8080`	TCP	HTTP Alt	Common dev/proxy port; Tomcat, Jenkins, Squid default
`8443`	TCP	HTTPS Alt	Alternative HTTPS; Tomcat, management UIs
`9200`	TCP	Elasticsearch	Elasticsearch REST API; restrict access — no auth by default
`9300`	TCP	Elasticsearch	Elasticsearch node-to-node communication
`27017`	TCP	MongoDB	MongoDB default; historically exposed without auth

Common mistake: Databases like Redis, MongoDB, and Elasticsearch ship with no authentication by default and listen on all interfaces. Exposing these ports to the internet has caused thousands of data breaches. Always bind to 127.0.0.1 or restrict access via firewall rules.

Ports by Category

Remote Access

Port	Proto	Service	Notes
`22`	TCP	SSH	Secure remote shell — industry standard
`23`	TCP	Telnet	Unencrypted — legacy only
`3389`	TCP	RDP	Windows Remote Desktop
`5900–5909`	TCP	VNC	Displays :0–:9 respectively
`5985/5986`	TCP	WinRM	PowerShell Remoting (HTTP/HTTPS)

Web & Proxy

Port	Proto	Service	Notes
`80`	TCP	HTTP	Unencrypted web
`443`	TCP	HTTPS	TLS-encrypted web
`8080`	TCP	HTTP Alt	Dev servers, Tomcat, proxies
`8443`	TCP	HTTPS Alt	Alt HTTPS for management UIs
`3128`	TCP	Squid Proxy	Default Squid HTTP proxy port

Email

Port	Proto	Service	Direction / Notes
`25`	TCP	SMTP	Server ↔ Server; blocked by most ISPs on residential IPs
`465`	TCP	SMTPS	Client → Server; implicit TLS (legacy, still widely used)
`587`	TCP	SMTP Submission	Client → Server; STARTTLS — recommended for clients
`110`	TCP	POP3	Client retrieves mail; deletes from server
`995`	TCP	POP3S	Encrypted POP3
`143`	TCP	IMAP	Client syncs mail; keeps on server
`993`	TCP	IMAPS	Encrypted IMAP — preferred

Directory & Authentication

Port	Proto	Service	Notes
`88`	TCP/UDP	Kerberos	AD authentication tickets
`389`	TCP/UDP	LDAP	Active Directory, OpenLDAP queries
`636`	TCP	LDAPS	LDAP over TLS — use in production
`1812`	UDP	RADIUS Auth	Authentication for network access (802.1X, VPN)
`1813`	UDP	RADIUS Accounting	Session accounting

File Transfer & Storage

Port	Proto	Service	Notes
`21`	TCP	FTP	Control channel; use SFTP or FTPS instead
`22`	TCP	SFTP / SCP	Secure file transfer over SSH
`69`	UDP	TFTP	PXE boot, network device firmware
`111`	TCP/UDP	RPC / portmapper	Required for NFS
`445`	TCP	SMB/CIFS	Windows shares; also used by AD
`2049`	TCP/UDP	NFS	Network File System

Monitoring & Management

Port	Proto	Service	Notes
`123`	UDP	NTP	Time sync — critical for Kerberos, TLS certs, logs
`161`	UDP	SNMP	Poll device metrics; use SNMPv3 with auth
`162`	UDP	SNMP Trap	Device sends unsolicited alerts to manager
`514`	UDP/TCP	Syslog	Log forwarding to SIEM / log server
`2055`	UDP	NetFlow	Cisco NetFlow traffic records
`9100`	TCP	Prometheus Node Exporter	Default metrics scrape endpoint

VPN & Tunneling

Port	Proto	Service	Notes
`500`	UDP	IKE / IPsec	VPN key exchange (IKEv1/IKEv2)
`1194`	UDP/TCP	OpenVPN	OpenVPN default; UDP preferred
`1701`	UDP	L2TP	Layer 2 Tunneling Protocol
`1723`	TCP	PPTP	Obsolete VPN; avoid — broken encryption
`4500`	UDP	IPsec NAT-T	IPsec through NAT devices
`51820`	UDP	WireGuard	Default WireGuard port; configurable

Active Directory Port Map

Active Directory relies on a large number of ports. This is the minimal set required for domain communication between clients, member servers, and domain controllers.

Port	Proto	Service	Required For
`53`	TCP/UDP	DNS	Domain name resolution — critical
`88`	TCP/UDP	Kerberos	Authentication
`123`	UDP	NTP	Time sync (Kerberos fails if clock skew > 5 min)
`135`	TCP	RPC Endpoint Mapper	Dynamic RPC port assignment
`137–139`	UDP/TCP	NetBIOS	Legacy name resolution (optional in modern AD)
`389`	TCP/UDP	LDAP	Directory queries and updates
`445`	TCP	SMB	GPO, SYSVOL replication, logon scripts
`464`	TCP/UDP	Kerberos password	Password changes via Kerberos
`636`	TCP	LDAPS	Encrypted directory queries
`3268`	TCP	Global Catalog	Forest-wide LDAP queries
`3269`	TCP	Global Catalog SSL	Encrypted Global Catalog
`49152–65535`	TCP	RPC Dynamic	AD replication, NETLOGON, remote management

RPC dynamic ports: Active Directory uses random ports in the 49152–65535 range for replication and remote procedure calls. If you have a firewall between domain controllers, you must either allow this entire range or configure a static RPC port range via Group Policy.

Security Notes

Ports to Always Restrict or Disable

Port	Service	Risk	Recommendation
`21`	FTP	Credentials in plaintext	Replace with SFTP (port 22) or FTPS
`23`	Telnet	All traffic in plaintext	Replace with SSH
`1723`	PPTP VPN	Broken encryption (MS-CHAP)	Replace with WireGuard or OpenVPN
`3389`	RDP	Brute force, BlueKeep CVE	Restrict to VPN; enable NLA; use non-standard port
`6379`	Redis	No auth by default	Bind to 127.0.0.1; require password
`27017`	MongoDB	No auth by default	Enable auth; firewall from public internet
`9200`	Elasticsearch	No auth in older versions	Enable security; restrict with firewall

Common mistake: Changing a service to a non-standard port (e.g., SSH to port 2222) is NOT a security measure — it only reduces noise in logs. Security comes from strong authentication, firewall rules, and keeping software patched.

Scanning & Verification

Use these commands to quickly check which ports are open and what is listening.

Command	Platform	Purpose
`ss -tlnp`	Linux	List all listening TCP ports with process names
`netstat -tlnp`	Linux	Same as above (older systems)
`netstat -ano`	Windows	All connections with PID
`Get-NetTCPConnection`	PowerShell	List TCP connections and listeners
`nmap -sV 192.168.1.1`	Any	Scan host for open ports and service versions
`telnet host port`	Any	Quick TCP connectivity test
`nc -zv host port`	Linux/macOS	Test TCP/UDP port reachability

FAQ

What is the difference between well-known, registered, and dynamic ports?

Well-known ports (0–1023) are assigned by IANA to core protocols and require root/admin privileges to bind. Registered ports (1024–49151) are assigned to specific applications but don’t require elevated privileges. Dynamic (ephemeral) ports (49152–65535) are assigned by the OS to client applications for outbound connections and are released when the connection closes.

Why does DNS use both TCP and UDP on port 53?

DNS uses UDP by default for standard queries because it’s faster — no connection setup, small packets. TCP is used when the response exceeds 512 bytes (e.g., large TXT records, DNSSEC responses) or for zone transfers between DNS servers. Modern DNS implementations (RFC 7766) also use TCP more broadly. Your firewall must allow both protocols on port 53.

Which SMTP port should I use for sending email?

For mail clients sending to a mail server (submission): use port 587 with STARTTLS — this is the current standard. Port 465 (implicit TLS) is also widely supported and still used by many providers. Port 25 is for server-to-server relay and is typically blocked by ISPs on residential connections to prevent spam.

How do I find what process is using a specific port?

On Linux: ss -tlnp | grep :80 or lsof -i :80. On Windows: netstat -ano | findstr :80 — note the PID, then tasklist | findstr <PID>. On PowerShell: Get-NetTCPConnection -LocalPort 80 | Select-Object State, OwningProcess.

Is it safe to expose port 22 (SSH) to the internet?

With proper hardening, yes. Best practices: disable password authentication (use SSH keys only), disable root login (PermitRootLogin no), use AllowUsers to restrict which accounts can log in, and consider fail2ban or similar to block brute-force attempts. For high-security environments, restrict SSH access to specific IP ranges or put it behind a VPN.

What are ephemeral ports and why do they matter for firewalls?

When your system initiates an outbound connection, the OS assigns a random source port from the ephemeral range (49152–65535 on modern systems; 1024–65535 on older Linux). Stateful firewalls track these automatically. If you have a stateless packet filter, you must explicitly allow return traffic to the ephemeral range, or outbound connections will work but replies will be dropped.