Lesson 12 of 12

Common Ports and Protocols

28 min read

Common Ports and Protocols — What's Running on What Port

When a security analyst looks at a firewall log, runs a network scan, or investigates suspicious traffic, port numbers are among the first pieces of information they read. A port number tells you — at a glance — which service or application was likely involved in a connection. Port 22 means SSH (Secure Shell). Port 445 means SMB (Server Message Block). Port 3389 means RDP (Remote Desktop Protocol). Knowing which services run on which ports, what those services do, and what their security histories look like is foundational knowledge for anyone working in cybersecurity.

This file covers the ports and protocols every security practitioner needs to know: what each service does, why it matters, and where the security risks lie.

What Ports Are and Why They Matter

A port is a 16-bit number, ranging from 0 to 65535, included in the header of every TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) packet. Ports allow a single device to run multiple network services simultaneously and correctly route incoming packets to the right one.

Think of it this way: an IP (Internet Protocol) address identifies a device on the network — it tells the network where to deliver the packet. But a server running a web server, an SSH server, and a database server all share the same IP address. The port number tells the operating system which application on that device should receive the incoming packet.

A web server listening on port 443 and an SSH server listening on port 22 can coexist on the same machine with the same IP address. When a packet arrives on port 443, the operating system delivers it to the web server process. When a packet arrives on port 22, it goes to the SSH server process. The port is the last-mile delivery address within the device.

From a security standpoint, ports are your first indicator of attack surface. Every open port on a device is a listening service — a potential entry point for an attacker. Closing ports you do not need, monitoring ports for unexpected activity, and understanding what should and should not be open on any given system are core defensive skills.

Port Ranges

Ports are divided into three ranges by IANA (Internet Assigned Numbers Authority), the organization responsible for coordinating IP addresses, protocol numbers, and port assignments globally.

Well-Known Ports: 0 to 1023

These ports are assigned and controlled by IANA. They are reserved for widely used, standardized protocols and services. On Unix and Linux systems, only processes running as root (the system administrator account) can bind to ports in this range — a restriction that prevents unprivileged programs from impersonating standard services.

Examples: HTTP (Hypertext Transfer Protocol) on port 80, HTTPS (HTTP Secure) on port 443, SSH on port 22, DNS (Domain Name System) on port 53.

Registered Ports: 1024 to 49151

These ports are registered by software vendors and developers with IANA for specific applications. They are less strictly controlled than well-known ports. Any process can typically bind to ports in this range without administrator privileges.

Examples: MySQL database on port 3306, PostgreSQL database on port 5432, Microsoft SQL Server on port 1433, RDP on port 3389.

Dynamic and Ephemeral Ports: 49152 to 65535

These ports are not assigned to specific services. They are temporarily allocated by the operating system to the client side of a network connection.

When your browser opens a connection to a web server on port 443, the browser does not use port 443 on your end — that would require your machine to be running a web server. Instead, the operating system assigns a temporary port from the ephemeral range (say, port 52847) to your browser session. That ephemeral port is the source port for your side of the connection. When the session ends, the port is released.

Note: Linux commonly uses the range 32768 to 60999 for ephemeral ports rather than the official range. This is configurable through the kernel parameter at /proc/sys/net/ipv4/ip_local_port_range.

The Five-Tuple: How Connections Are Uniquely Identified

Every active network connection is uniquely identified by five values, collectively called the five-tuple:

Protocol — TCP or UDP
Source IP address — where the connection originates
Source port — the ephemeral port assigned to the client
Destination IP address — where the connection goes
Destination port — the service port on the destination

Every combination of these five values identifies exactly one network conversation. Two connections from the same client to the same server on the same port are distinguishable because they will have different source ports.

Firewalls, intrusion detection systems, and stateful packet inspection all use the five-tuple to track connections and apply policy. Understanding this model is essential for making sense of firewall rules and network logs.

Major Well-Known Ports in Depth

Port 20 and 21 — FTP: File Transfer Protocol

Port 21 is the control connection for FTP — the channel used for commands and responses between the FTP client and server. Port 20 is the data connection in active mode FTP, used for actual file transfers.

FTP uses TCP only. It was designed in the early days of the internet, before security was a design consideration. As a result, FTP transmits everything in cleartext — including usernames, passwords, and file contents. Anyone on the same network who can capture traffic with a tool like Wireshark can read FTP credentials immediately without any decryption.

Active vs. passive mode: In active mode FTP, the server initiates the data connection back to the client on port 20. In passive mode FTP (PASV), the server listens on a random high port and the client initiates the data connection. Passive mode is necessary when clients are behind NAT or firewalls that block inbound connections.

Security: FTP is obsolete for any purpose where security matters. It should be replaced with:

SFTP (SSH File Transfer Protocol) — runs over SSH (port 22), fully encrypted
FTPS (FTP over TLS) — FTP with Transport Layer Security encryption added

Seeing FTP traffic on a network audit is a red flag. Any FTP server still running and accessible from an untrusted network should be treated as a security finding.

Port 22 — SSH: Secure Shell

SSH is the standard for encrypted remote access to network devices and servers. It operates over TCP only and provides:

Remote terminal access — log into a Linux or Unix server and execute commands
SFTP — secure file transfer built on top of the SSH protocol
Port forwarding and tunneling — SSH can forward other protocols through its encrypted channel, which has both legitimate uses (securely accessing internal services) and attacker uses (bypassing firewall rules)
Remote command execution — running commands on a remote machine without an interactive terminal

SSH replaced Telnet (port 23) as the standard for remote administration. Unlike Telnet, which sends everything in plaintext, SSH encrypts all traffic — keystrokes, commands, output, and file transfers.

Authentication methods: SSH supports password authentication and public-key authentication. With public-key authentication, the user generates a cryptographic key pair and places the public key on the server. The private key stays on the user's machine. Authentication happens through a cryptographic challenge-response that proves possession of the private key without transmitting it. Key-based authentication is significantly more secure than passwords because there is no password to guess, phish, or capture.

Security considerations: SSH servers exposed to the internet face relentless automated brute-force attacks. Attackers run automated scanners that probe every accessible IP address for port 22 and attempt thousands of common username-password combinations per hour.

Standard hardening measures for internet-facing SSH servers:

Disable password authentication; require key-based authentication only
Change the listening port from 22 to a non-standard high port (reduces automated scanning noise, though does not stop a determined attacker)
Use fail2ban or an equivalent tool to automatically block IP addresses after repeated failed authentication attempts
Restrict SSH access to specific source IP addresses using firewall rules
Keep the SSH server software updated — vulnerabilities in SSH implementations are occasionally discovered

Port 23 — Telnet

Telnet was the original remote terminal protocol — it predates SSH by many years. It operates over TCP and provides an interactive command-line session on a remote device.

The fundamental problem with Telnet is that everything it transmits is in plaintext. Every keystroke, every command, every response, and every password is transmitted as readable text with no encryption. Anyone who can intercept the traffic can read it completely.

Telnet has no place in any environment where security is a consideration. It should never be enabled on any device accessible from an untrusted network. If you encounter a Telnet service during a security assessment, it is an immediate finding.

The only context where Telnet is sometimes seen today is on very old network equipment — routers, switches, and embedded devices from the 1990s and early 2000s that do not support SSH. Replacing or upgrading this equipment is the correct response.

Port 25 — SMTP: Simple Mail Transfer Protocol

SMTP is the protocol used to transfer email between mail servers. When you send an email, your mail client passes it to your mail server, and that server uses SMTP to relay it to the recipient's mail server. Port 25 is used for this server-to-server relay function.

SMTP uses TCP only.

Related ports:

Port 587 — SMTP Submission: This is the port mail clients (Outlook, Thunderbird, Apple Mail) use to submit outgoing email to their mail server. Port 587 requires authentication. Many ISPs (Internet Service Providers) block port 25 outbound from residential connections to prevent spam, but allow port 587 for legitimate submission.
Port 465 — SMTPS: SMTP over TLS (Transport Layer Security), an older convention for encrypted SMTP. Port 587 with STARTTLS (a command that upgrades a plaintext connection to encrypted) is now preferred.

Security considerations:

SMTP is deeply involved in email-based attacks:

Spam and phishing infrastructure rely on SMTP servers — often compromised legitimate servers or deliberately misconfigured open relays — to send large volumes of malicious email.

Email spoofing exploits the fact that original SMTP has no authentication for the sender address. Without additional controls, any server can claim to send email from any domain. Three DNS (Domain Name System) record types address this:

SPF (Sender Policy Framework): a DNS record listing IP addresses authorized to send email for a domain. Receiving servers check whether the sending server's IP is on the SPF list.
DKIM (DomainKeys Identified Mail): the sending server cryptographically signs outgoing email. Receiving servers verify the signature against a public key published in DNS.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): a policy record telling receiving servers what to do if SPF and DKIM checks fail — quarantine, reject, or report — and where to send failure reports.

Properly configured SPF, DKIM, and DMARC records significantly reduce the ability of attackers to send email that impersonates your domain.

Port 53 — DNS: Domain Name System

DNS is the service that translates human-readable domain names (like www.example.com) into IP addresses that computers use to route traffic. Without DNS, you would need to memorize IP addresses for every website you visit.

DNS primarily uses UDP (User Datagram Protocol) for queries, because queries and responses are small and UDP is faster than TCP for short exchanges. DNS falls back to TCP when:

A response is larger than 512 bytes (the traditional UDP limit)
A DNS server is performing a zone transfer — copying the full contents of a DNS zone from a primary server to a secondary server

Port 53 uses both UDP and TCP.

Security considerations:

DNS tunneling: DNS traffic is often permitted through firewalls even in highly restrictive environments, because blocking port 53 would break name resolution. Attackers exploit this by encoding data inside DNS queries and responses — using DNS as a covert channel to exfiltrate data from compromised networks or maintain command-and-control communications. DNS monitoring tools look for unusually long domain names, high query rates, and queries for domains that do not appear to be legitimate websites.

DNS amplification attacks: Open DNS resolvers — servers that answer queries from any IP address — can be abused in distributed denial-of-service (DDoS) attacks. An attacker sends a small query with a spoofed source IP (the victim's address) to an open resolver. The resolver sends a much larger response to the victim. By directing many open resolvers to respond to the same victim, attackers generate massive traffic volume with relatively little effort. Restricting DNS resolvers to serve only authorized clients eliminates their usefulness for amplification attacks.

Cache poisoning: An attacker who can inject false records into a DNS resolver's cache can redirect users to malicious servers. When a user queries for a legitimate domain, the resolver returns the attacker's IP instead of the real one. DNSSEC (Domain Name System Security Extensions) provides cryptographic authentication of DNS records to prevent poisoning.

As a defensive practice, port 53 outbound should be restricted to authorized DNS servers. Workstations should not be making direct DNS queries to arbitrary internet resolvers — their queries should go through controlled, monitored internal resolvers.

Port 67 and 68 — DHCP: Dynamic Host Configuration Protocol

DHCP automatically assigns IP addresses, subnet masks, default gateways, and DNS server addresses to devices when they connect to a network. Without DHCP, an administrator would have to manually configure the network settings of every device.

DHCP uses UDP only:

Port 67: the DHCP server listens on this port
Port 68: the DHCP client uses this port

DHCP operates via broadcast — the client sends a broadcast message to the entire local network segment because it does not yet know the DHCP server's address. DHCP traffic is therefore local to a single network segment; routers do not forward broadcasts between networks by default (though a DHCP relay agent can be configured to do so).

Security implications of DHCP are covered in depth in dhcp.md, including rogue DHCP servers and DHCP starvation attacks. DHCP is mentioned here for completeness in the port reference.

Port 80 — HTTP: Hypertext Transfer Protocol

HTTP is the foundational protocol of the World Wide Web. It defines how web browsers request pages and how web servers respond. Port 80 uses TCP only.

The critical security characteristic of HTTP is that it is completely unencrypted. Everything transmitted over an HTTP connection — HTML (Hypertext Markup Language) pages, cookies, form data, login credentials — is sent as plaintext. Anyone who can intercept the traffic (on the local network, at an ISP, or anywhere along the path) can read it.

HTTP has been substantially replaced by HTTPS (port 443) for any web communication involving sensitive data. Modern browsers display warnings when users access sites over HTTP, and many browsers now default to HTTPS.

HSTS — HTTP Strict Transport Security: A security mechanism where web servers instruct browsers to always use HTTPS for future connections to that domain, even if the user types a plain HTTP address. HSTS prevents downgrade attacks where an attacker intercepts an HTTP request before the browser can be redirected to HTTPS.

HTTP on port 80 is still commonly seen for redirects — the server receives the HTTP request and immediately redirects the browser to the HTTPS version. The actual content should never be served over plain HTTP.

Port 110 — POP3: Post Office Protocol Version 3

POP3 is an email retrieval protocol that allows a client to download email from a server. In traditional POP3 usage, email is downloaded to the client and removed from the server — the server is used as a temporary holding area, not a permanent store.

POP3 uses TCP only. Like many older protocols, unencrypted POP3 transmits credentials in plaintext.

Port 995 — POP3S: POP3 over TLS — the encrypted version. This is the only acceptable form of POP3 today.

POP3 has been largely replaced by IMAP in modern email clients because IMAP keeps email on the server and synchronizes across multiple devices — a feature that POP3's design does not support well.

Port 143 — IMAP: Internet Message Access Protocol

IMAP is the modern standard for email retrieval. Unlike POP3, IMAP keeps messages on the mail server and synchronizes state — read/unread, folders, flags — across all of a user's devices. When you read an email on your phone, it appears as read on your laptop as well, because both are accessing the same server-side state.

IMAP uses TCP only. Unencrypted IMAP transmits credentials in plaintext.

Port 993 — IMAPS: IMAP over TLS — the encrypted version that should always be used.

Port 389 — LDAP: Lightweight Directory Access Protocol

LDAP is a protocol for querying and modifying directory services — structured databases that store information about users, computers, groups, and other network objects. In Windows environments, LDAP is the protocol used to communicate with Microsoft Active Directory — the centralized authentication and authorization system used in most enterprise networks.

LDAP can use both TCP and UDP. Port 389 is the standard unencrypted LDAP port.

Port 636 — LDAPS: LDAP over TLS — the encrypted version.

Security considerations:

LDAP enumeration: In many Active Directory environments, unauthenticated or lightly authenticated LDAP queries can enumerate users, groups, organizational units, and other directory objects. Attackers who gain access to a network frequently use LDAP to map the organization's structure — learning which accounts exist, which have elevated privileges, and how the network is organized. This information feeds subsequent attacks.

Pass-the-hash: A technique where an attacker captures a user's password hash (rather than the plaintext password) and uses it directly to authenticate to LDAP and other Windows services without needing to crack the hash.

LDAP injection: Applications that construct LDAP queries using user-supplied input without proper sanitization are vulnerable to LDAP injection — an attack analogous to SQL (Structured Query Language) injection. An attacker manipulates the query structure to retrieve unauthorized information or bypass authentication.

LDAP traffic (port 389) should not be accessible from outside the organization. LDAPS (port 636) should be used for all directory communications. Anonymous LDAP binding should be disabled unless specifically required.

Port 443 — HTTPS: Hypertext Transfer Protocol Secure

HTTPS is HTTP encrypted with TLS (Transport Layer Security). It is the standard for all web communication that requires privacy — which is to say, essentially all web communication. Port 443 uses TCP only.

When you connect to a website over HTTPS:

The browser and server perform a TLS handshake, agreeing on cryptographic algorithms and exchanging keys.
The server presents a digital certificate, which the browser verifies against trusted certificate authorities (CAs).
All subsequent HTTP traffic is encrypted within the TLS tunnel.

HTTPS protects against eavesdropping (nobody reading your traffic in transit) and tampering (nobody modifying the content between server and browser). It also provides authentication — the certificate confirms the server is who it claims to be.

Port 443 beyond the web: Many services other than web browsers use port 443 because it is almost universally permitted through firewalls. VPN (Virtual Private Network) protocols, API (Application Programming Interface) services, and various enterprise applications communicate over port 443.

Security note for defenders: Because port 443 is trusted and almost never blocked, attackers use it for command-and-control communications and data exfiltration. Inspecting HTTPS traffic requires TLS inspection (also called SSL — Secure Sockets Layer — inspection or HTTPS inspection), where the firewall acts as a man-in-the-middle to decrypt, inspect, and re-encrypt traffic. This is a legitimate enterprise security technique but requires careful implementation because it involves decrypting users' traffic.

Port 445 — SMB: Server Message Block

SMB is the protocol Windows uses for file sharing, network drives, shared printers, and inter-process communication between Windows systems. It is fundamental to how Windows networks function. Port 445 uses TCP only.

Security — a critical topic for port 445:

SMB has one of the most significant attack histories of any protocol in common use. Its record of critical vulnerabilities makes it one of the most important ports to understand and control.

EternalBlue — MS17-010: EternalBlue is a vulnerability in the SMB version 1 (SMBv1) implementation in Windows. It was developed by the NSA (National Security Agency) as a cyberweapon and disclosed publicly in 2017 by a group called the Shadow Brokers. Microsoft patched it in March 2017 (MS17-010), but:

WannaCry (May 2017): A ransomware attack that exploited EternalBlue to spread autonomously across networks without any user interaction. WannaCry infected hundreds of thousands of systems in over 150 countries, causing billions of dollars in damage. The United Kingdom's NHS (National Health Service) was severely impacted — hospitals cancelled appointments and turned away patients because their systems were encrypted.
NotPetya (June 2017): A destructive wiper disguised as ransomware, also exploiting EternalBlue combined with other techniques. NotPetya caused an estimated $10 billion in damages and is considered one of the most destructive cyberattacks in history. It devastated the shipping company Maersk, the pharmaceutical company Merck, and many other global organizations.

Both attacks succeeded because many organizations had not applied the available patch and had SMB port 445 accessible across their internal networks.

Current guidance:

SMB port 445 should never be exposed to the internet. CISA (Cybersecurity and Infrastructure Security Agency) and NIST (National Institute of Standards and Technology) explicitly recommend blocking ports 445 and 139 at network boundaries.
SMBv1 should be disabled on all systems — it is an archaic protocol version with no modern security features.
SMB within internal networks should be restricted: workstations typically do not need to reach other workstations over SMB. Lateral movement through internal networks using SMB is a primary technique of ransomware and advanced persistent threat actors.

Port 3389 — RDP: Remote Desktop Protocol

RDP is Microsoft's protocol for graphical remote desktop access to Windows systems. It provides a full graphical interface to a remote Windows machine as if you were sitting in front of it. Port 3389 uses TCP, with some features also using UDP.

RDP is extraordinarily useful for remote administration of Windows servers and for remote work. It is also one of the most attacked services on the internet.

Security — BlueKeep and beyond:

BlueKeep — CVE-2019-0708: A critical unauthenticated remote code execution vulnerability in older versions of the Windows RDP service. An attacker could exploit it without any user interaction — simply connecting to port 3389 was enough. Microsoft rated it critical and released emergency patches for out-of-support Windows versions (including Windows XP and Windows Server 2003) because of the risk of a worm-level outbreak similar to WannaCry.

RDP brute-force: Automated tools continuously scan the internet for open port 3389 and attempt to authenticate using common username-password combinations. Exposed RDP with weak credentials is one of the most common initial access methods for ransomware operators. Once an attacker has RDP credentials, they have full graphical access to the target system.

RDP as a ransomware entry point: CISA and multiple cybersecurity firms consistently report RDP as one of the top three initial access vectors in ransomware incidents.

Current guidance:

RDP should never be directly exposed to the internet. Access should require a VPN first.
If direct RDP is unavoidable, restrict access to specific source IP addresses using firewall rules.
Enforce account lockout policies to limit brute-force effectiveness.
Enable Network Level Authentication (NLA), which requires authentication before a full RDP session is established.
Keep systems fully patched — RDP vulnerabilities are actively discovered and exploited.

Port 3306 — MySQL

Port 3306 is the default listening port for MySQL, one of the most widely used relational database management systems in the world. MySQL uses TCP only.

MySQL databases store application data — user accounts, transactions, content, configuration. Direct access to a database server means direct access to that data.

Security: MySQL should never be accessible from the internet. The database should listen only on the local interface or on the internal network, accessible only from the application servers that legitimately query it. Any internet-accessible service with a publicly reachable MySQL port is a serious misconfiguration — attackers scan for open port 3306 and attempt to authenticate with default or weak credentials.

Port 5432 — PostgreSQL

Port 5432 is the default listening port for PostgreSQL, another widely used open-source relational database. The same security principles that apply to MySQL apply here. PostgreSQL uses TCP only and should never be publicly accessible.

Port 1433 — Microsoft SQL Server (MSSQL)

Port 1433 is the default port for Microsoft SQL Server, the database server used extensively in Windows enterprise environments. TCP only.

SQL Server is a frequent target in enterprise environments because it often stores sensitive business data and because overly permissive configurations — including unnecessary network exposure, default sa (system administrator) accounts, or xp_cmdshell enabled — allow attackers to move from database access to full system compromise.

Ports 8080 and 8443 — Alternative HTTP and HTTPS

Port 8080 is commonly used as an alternative port for HTTP services. Common uses include:

Development and testing web servers
Apache Tomcat and other Java application servers
Web proxies and intermediate servers
Management interfaces for network devices and applications

Port 8443 serves the same purpose for HTTPS — an alternative encrypted web port, commonly used by Tomcat, management interfaces, and other applications that do not want to or cannot use the privileged port 443.

Security note: Firewalls that simplistically allow "web traffic" by permitting only ports 80 and 443 may leave ports 8080 and 8443 open or may block them inconsistently. Applications running on non-standard ports sometimes receive less scrutiny than those on standard ports, making them attractive for attackers and useful for evading naive filtering. Security scanning should always cover the full port range, not just the well-known ports.

Port 5900 — VNC: Virtual Network Computing

VNC (Virtual Network Computing) is a cross-platform graphical remote desktop protocol. Unlike RDP (which is Windows-specific), VNC runs on Windows, Linux, and macOS. Port 5900 uses TCP.

VNC has a poor security history: older versions transmitted everything including authentication in cleartext, and even modern implementations vary widely in security quality. VNC exposed to the internet is frequently targeted by automated scanners. VNC access, like RDP, should be behind a VPN and restricted to authorized source addresses.

Checking Open Ports

From the Local Machine

Checking what services are listening on your own system:

netstat -tn             # Windows and Linux: show active TCP connections
ss -tnlp                # Linux: show all listening TCP ports with process names and PIDs
netstat -ano            # Windows: show all connections with process IDs (PID); cross-reference with Task Manager or tasklist

On Linux, ss -tnlp is particularly useful because it shows:

Which ports are in LISTEN state (waiting for connections)
The process name and process ID associated with each listening port
The local address the service is bound to (0.0.0.0 means accessible on all interfaces; 127.0.0.1 means accessible only locally)

A service bound to 127.0.0.1:3306 is MySQL accessible only from the local machine — as it should be. A service bound to 0.0.0.0:3306 is MySQL accessible from any network interface — potentially a misconfiguration.

Scanning a Remote Host

Network scanning to discover open ports on remote systems. Only perform port scans on systems you own or have explicit written permission to scan. Unauthorized port scanning may be illegal and is certainly hostile.

nmap -sV target-ip              # Scan common ports and detect service versions
nmap -p 22,80,443 target-ip     # Scan only specific ports
nmap -p 1-1024 target-ip        # Scan the well-known port range
nmap -p- target-ip              # Scan all 65535 ports (slow but thorough)
nmap -sV -O target-ip           # Service version detection plus OS detection

Nmap (Network Mapper) is the standard tool for port scanning. Understanding its output requires understanding TCP states: open (the port is accepting connections), closed (the port is reachable but no service is listening), and filtered (the port is behind a firewall — Nmap cannot determine its state).

Port Reference Table

Port	Protocol	Service	Notes
20/21	TCP	FTP	File Transfer Protocol — plaintext; replaced by SFTP or FTPS
22	TCP	SSH	Secure Shell — encrypted remote access; replace Telnet
23	TCP	Telnet	Plaintext remote access — completely obsolete
25	TCP	SMTP	Simple Mail Transfer Protocol — server-to-server email relay
53	TCP/UDP	DNS	Domain Name System — name resolution
67/68	UDP	DHCP	Dynamic Host Configuration Protocol — IP address assignment
80	TCP	HTTP	Hypertext Transfer Protocol — unencrypted web
110	TCP	POP3	Post Office Protocol — email retrieval (legacy)
143	TCP	IMAP	Internet Message Access Protocol — email retrieval
389	TCP	LDAP	Lightweight Directory Access Protocol — directory services
443	TCP	HTTPS	HTTP Secure — encrypted web (TLS)
445	TCP	SMB	Server Message Block — Windows file sharing; high-risk port
465	TCP	SMTPS	SMTP over TLS
587	TCP	SMTP Submission	Client-to-server email submission with authentication
636	TCP	LDAPS	LDAP over TLS
993	TCP	IMAPS	IMAP over TLS
995	TCP	POP3S	POP3 over TLS
1433	TCP	MSSQL	Microsoft SQL Server
3306	TCP	MySQL	MySQL database server
3389	TCP	RDP	Remote Desktop Protocol — Windows graphical remote access
5432	TCP	PostgreSQL	PostgreSQL database server
5900	TCP	VNC	Virtual Network Computing — cross-platform remote desktop
8080	TCP	HTTP-alt	Alternative HTTP — development servers, proxies, Tomcat
8443	TCP	HTTPS-alt	Alternative HTTPS — management interfaces, Tomcat

The Bottom Line

Port numbers are the addressing system within a device — they route incoming packets to the correct application. The 0-to-1023 well-known port range contains the services every security practitioner must know by heart: SSH (22), SMTP (25), DNS (53), HTTP (80), HTTPS (443), SMB (445), and RDP (3389) are the most security-critical. Knowing what each port does, what its attack history is, and when it should and should not be exposed is foundational to writing effective firewall rules, conducting security assessments, and investigating incidents. Every open port is a potential entry point, and unnecessary open ports should be closed. Database ports (3306, 5432, 1433) should never be publicly accessible. SMB and RDP should never be directly internet-facing. These are not best practices — they are baseline requirements for any serious security posture.

Check Your Understanding

A security analyst reviewing a firewall log sees repeated inbound connection attempts to port 3389 from hundreds of different source IP addresses. What service is being targeted, what type of attack is most likely occurring, and what three countermeasures would you recommend?
A developer tells you they left "just the database port" open on a cloud server so they could connect to it directly from home for debugging. Which port is likely open, why is this a security problem, and what is the correct way to provide the developer with the access they need while eliminating the exposure?

Something to Think About

Port 443 (HTTPS) is trusted by nearly every firewall in the world and is almost never blocked. Attackers exploit this by tunneling command-and-control traffic and data exfiltration through HTTPS to blend in with legitimate web traffic. If you were building a defense strategy against HTTPS-based exfiltration, what controls would you consider implementing, and what are the trade-offs in terms of user privacy, performance, and operational complexity?
The history of SMB port 445 — EternalBlue, WannaCry, NotPetya — shows that a single unpatched vulnerability in a widely trusted internal protocol can cause billions of dollars in damage globally. Many organizations had the MS17-010 patch available for months before WannaCry but had not applied it. What organizational, technical, and human factors do you think contribute to delayed patch deployment, and how might security programs address them?

References

Official Registry. IANA — "Service Name and Transport Protocol Port Number Registry". Internet Assigned Numbers Authority. — The authoritative registry of all assigned port numbers and their associated protocols and services; the primary reference for determining what any given port number officially represents.
Official Specification. RFC 6335 — "Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry". IETF. — Defines how port numbers are assigned and registered through IANA; explains the three port range categories and the registration process.
Official Specification. RFC 4254 — "The Secure Shell (SSH) Connection Protocol". IETF. — The SSH connection protocol specification, defining how SSH multiplexes channels (terminal sessions, file transfers, port forwarding) over a single encrypted transport.
Real-World Incident. CISA — "Advisory AA17-132A: Indicators Associated with WannaCry Ransomware". CISA, 2017. — WannaCry spread globally by exploiting the SMB vulnerability EternalBlue (MS17-010) on port 445; directly relevant to the security context of SMB.
Real-World Incident. CISA — "Advisory AA21-265A: Conti Ransomware". CISA. — Conti ransomware used RDP (port 3389) for initial access and SMB (port 445) for lateral movement; illustrates real-world exploitation of both ports in modern ransomware operations.
Security Reference. CISA — "Security Tip ST04-005: Understanding Firewalls for Home and Small Office Use". CISA. — Accessible guidance on firewall concepts including port blocking and why certain ports (445, 3389) should be restricted at network boundaries.
Tool Reference. Nmap Reference Guide. Nmap Project. — The official reference for Nmap (Network Mapper), the standard tool for port scanning and service detection; essential reading for anyone performing network security assessments.