Reserved — not assignable. Used for OS-level signaling.
File Transfer Protocol data channel for active mode transfers.
Unencrypted data. Use SFTP (port 22) or FTPS instead. File Transfer Protocol command channel. Sends credentials in plain text.
Sends passwords unencrypted. Common target for brute-force attacks. Secure Shell — encrypted remote login, file transfer (SFTP/SCP), and tunneling.
Secure but heavily targeted. Use key-based auth and fail2ban. Unencrypted remote terminal protocol. All data including passwords sent in cleartext.
Never use on untrusted networks. Replace with SSH. Simple Mail Transfer Protocol — server-to-server email relay.
Often blocked by ISPs. Commonly abused for spam relay. Domain Name System — resolves domain names to IP addresses.
UDP for queries, TCP for zone transfers. DNS amplification attacks are common. Dynamic Host Configuration Protocol — server listens for client requests.
Dynamic Host Configuration Protocol — client receives IP configuration.
Trivial File Transfer Protocol — simple, unauthenticated file transfers.
No authentication. Used for firmware updates and PXE booting. Hypertext Transfer Protocol — unencrypted web traffic.
All data visible in transit. Always redirect to HTTPS (443). Network authentication protocol used in Active Directory environments.
Post Office Protocol v3 — retrieves email from server (unencrypted).
Sends credentials in plain text. Use POP3S (995) instead. SunRPC portmapper — maps RPC program numbers to ports.
Should never be exposed to the internet. Network Time Protocol — clock synchronization across networks.
NTP amplification attacks possible if misconfigured. Microsoft RPC Endpoint Mapper. Gateway to Windows services.
Major attack surface. Block from the internet. NetBIOS Name Service — Windows network name resolution.
Leaks system info. Block from the internet. NetBIOS Datagram Service — Windows browser elections and announcements.
NetBIOS Session Service — file and printer sharing over NetBIOS.
Legacy SMB. Replace with SMB over TCP (445) and restrict access. Internet Message Access Protocol — email retrieval with server-side management.
Unencrypted. Use IMAPS (993) instead. Simple Network Management Protocol — monitor and manage network devices.
v1/v2c use community strings (passwords) in cleartext. Use SNMPv3. SNMP trap messages — asynchronous notifications from network devices.
Border Gateway Protocol — internet routing between autonomous systems.
BGP hijacking can redirect internet traffic. Critical infrastructure. Lightweight Directory Access Protocol — directory services (Active Directory).
Use LDAPS (636) for encryption. Credential theft risk over plain LDAP. HTTP over TLS — encrypted web traffic. The standard for secure websites.
Server Message Block — Windows file/printer sharing and AD communication.
Target of WannaCry/EternalBlue (MS17-010). Never expose to the internet. Kerberos password change protocol.
SMTP over implicit TLS — encrypted email submission.
Internet Key Exchange — IPSec VPN tunnel negotiation.
System logging protocol — centralized log collection from network devices.
Apple Filing Protocol — macOS file sharing.
Email submission with STARTTLS — the recommended port for sending email.
Internet Printing Protocol / CUPS print server.
LDAP over SSL/TLS — encrypted directory services.
Encrypted DNS queries over TLS (DoT).
Rsync file synchronization daemon.
FTP over TLS — encrypted file transfer.
IMAP over SSL/TLS — encrypted email retrieval.
POP3 over SSL/TLS — encrypted email download.
SOCKS proxy protocol — application-level proxy routing.
OpenVPN — widely deployed open-source VPN solution.
Microsoft SQL Server default instance. Enterprise database.
Never expose directly. Use VPN or SSH tunneling. SQL Server Browser service — resolves named instances to ports.
Oracle Database TNS Listener — default database connection port.
Common target for TNS poisoning attacks. Point-to-Point Tunneling Protocol — legacy VPN. Broken encryption.
MS-CHAPv2 is cracked. Migrate to WireGuard or OpenVPN. Remote Authentication Dial-In User Service — network access control.
RADIUS accounting — usage tracking for network access.
Message Queuing Telemetry Transport — lightweight IoT messaging protocol.
Unencrypted by default. Use 8883 for MQTT over TLS. Simple Service Discovery Protocol for Universal Plug and Play.
UPnP can expose internal services. Disable on routers. Network File System — Unix/Linux network file sharing.
Misconfigured exports can leak sensitive data. Apache ZooKeeper — distributed coordination service.
Often lacks authentication. Exposes cluster metadata. Docker daemon REST API without TLS. Grants root-level access.
Full host compromise if exposed. Always use 2376 with TLS. Docker daemon REST API with TLS client authentication.
etcd client API — distributed key-value store used by Kubernetes.
Contains all cluster secrets. Never expose. Grafana dashboard default port. Also common for Node.js/React dev servers.
Squid web proxy cache default port.
MySQL and MariaDB database server default port.
Never expose to the internet. Use SSH tunnels or VPN. Remote Desktop Protocol — Windows remote access.
Top target for brute-force and ransomware. Use NLA and VPN. NAT traversal for WebRTC and VoIP applications.
NATS messaging system — lightweight cloud-native messaging.
Erlang Port Mapper Daemon — service discovery for Erlang nodes.
IPSec NAT Traversal — VPN through NAT gateways.
HashiCorp Nomad HTTP API — workload orchestration.
Session Initiation Protocol — voice/video call signaling (VoIP).
SIP over TLS — encrypted VoIP signaling.
Extensible Messaging and Presence Protocol — real-time communication.
XMPP server-to-server federation protocol.
Multicast DNS — zero-configuration local network name resolution.
PostgreSQL database server default port.
Ensure pg_hba.conf restricts access. Never expose directly. RabbitMQ message broker — AMQP protocol.
Constrained Application Protocol — IoT web transfer protocol.
CoAP over DTLS — encrypted IoT communication.
Virtual Network Computing — remote desktop sharing.
Weak default security. Many versions have no encryption. VNC server display 1 (base 5900 + display number).
Apache CouchDB HTTP API — document-oriented NoSQL database.
Redis in-memory data store. Used as cache, message broker, and database.
No auth by default. Major source of data breaches when exposed. Kubernetes API server — cluster management and orchestration.
Exposed API servers grant full cluster control. IRC server common port range (6660-6669).
Internet Relay Chat — unencrypted real-time messaging.
IRC over TLS — encrypted real-time messaging.
Cassandra inter-node cluster communication.
Neo4j graph database browser and REST API.
Neo4j Bolt binary protocol for queries.
Common development server port (Django, Python HTTP).
Common alternative HTTP port. Used for proxies, dev servers, and admin panels.
Common port for Jenkins CI, application servers, and admin panels.
InfluxDB time-series database HTTP API.
Splunk REST API and management port.
ClickHouse column-oriented OLAP database HTTP interface.
HashiCorp Vault — secrets management and encryption.
Contains all secrets. Ensure TLS and proper ACLs. Alternative HTTPS port. Common for admin UIs and application servers.
HashiCorp Consul HTTP API — service discovery and configuration.
Consul DNS interface for service discovery.
MQTT over TLS — encrypted IoT messaging.
Jupyter Notebook default port — interactive computing.
Often runs without authentication. Code execution risk. GitLab integrated Mattermost messaging port.
ClickHouse native TCP interface / also common for various apps.
Apache Cassandra CQL native transport — distributed NoSQL database.
Tor network SOCKS proxy for anonymous browsing.
Tor control port for managing the Tor daemon.
Prometheus monitoring server — metrics collection and alerting.
Apache Kafka distributed event streaming platform.
Elasticsearch HTTP API — search and analytics engine.
No authentication by default in older versions. Data breaches common. 9300Elasticsearch Transport
TCP Elasticsearch internal cluster communication.
Git daemon protocol — unauthenticated read-only Git access.
Splunk universal forwarder data input.
Secure SNMP over DTLS — encrypted network management.
Kubelet API — node-level container management in Kubernetes.
Memcached distributed caching system.
UDP reflection attacks caused 1.3 Tbps DDoS in 2018. Disable UDP. RabbitMQ web management console.
Default credentials guest/guest. Change immediately. Minecraft Java Edition server default port.
Valve Source engine game server (CS:GO, TF2, etc).
MongoDB NoSQL database default port.
Historically no auth by default. Thousands of exposed instances breached. MongoDB shard server (shardsvr) default port.
Plex Media Server web interface and streaming.
Tailscale WireGuard-based mesh VPN direct connections.
Jenkins JNLP agent communication port.
WireGuard VPN — modern, fast, cryptographically sound VPN tunnel.