Common ports, what normally runs on them, and why each one matters from a security standpoint.
| Port | Service | Security note |
|---|---|---|
| 20–21 | FTP (data/control) | Unencrypted by default — credentials and data travel in plaintext. Prefer SFTP/FTPS. |
| 22 | SSH | Common brute-force target when exposed to the internet. Restrict by IP or use key-only auth. |
| 23 | Telnet | Plaintext remote access — should not be exposed externally under any circumstance today. |
| 25 | SMTP | Mail relay. Open relays are a classic spam/abuse vector. |
| 53 | DNS | UDP/TCP. DNS amplification is a common DDoS technique against open resolvers. |
| 67–68 | DHCP | Internal network only — never expose to the internet. |
| 69 | TFTP | No authentication. Used for device firmware/config — should stay internal-only. |
| 80 | HTTP | Unencrypted web traffic. Should redirect to HTTPS in production. |
| 110 | POP3 | Often superseded by IMAP. Plaintext unless wrapped in TLS (port 995). |
| 123 | NTP | Time sync. Has been abused for DDoS amplification in misconfigured servers. |
| 135 | MS RPC Endpoint Mapper | Common Windows lateral-movement target — should not be internet-facing. |
| 137–139 | NetBIOS | Legacy Windows file/printer sharing — frequent internal-network attack surface. |
| 143 | IMAP | Plaintext unless wrapped in TLS (port 993). |
| 161–162 | SNMP | Default community strings ("public"/"private") remain a real-world finding. |
| 389 | LDAP | Directory services. Should use LDAPS (636) for anything carrying credentials. |
| 443 | HTTPS | Encrypted web traffic — the expected default for any production site. |
| 445 | SMB | File sharing. EternalBlue and many ransomware worms specifically target this port. |
| 465 | SMTPS | SMTP over implicit TLS. |
| 514 | Syslog | Often unauthenticated UDP — log injection is possible if exposed. |
| 587 | SMTP (submission) | Standard for authenticated outbound mail submission with STARTTLS. |
| 636 | LDAPS | LDAP over TLS — preferred over plain LDAP for anything credential-related. |
| 993 | IMAPS | IMAP over TLS. |
| 995 | POP3S | POP3 over TLS. |
| 1433 | MS SQL Server | Common target for credential-stuffing and default-account attempts when exposed. |
| 1521 | Oracle DB | Database listener — should never be directly internet-facing. |
| 3306 | MySQL/MariaDB | Database — restrict to application servers only, never expose publicly. |
| 3389 | RDP | One of the most commonly attacked ports on the internet — a leading ransomware entry point. |
| 5432 | PostgreSQL | Database — same exposure guidance as MySQL. |
| 5900 | VNC | Remote desktop — frequently found with weak or no authentication when exposed. |
| 6379 | Redis | Historically found unauthenticated and internet-facing in many breach reports. |
| 8080 | HTTP (alt) | Common alternate web/proxy port — often a forgotten admin panel. |
| 8443 | HTTPS (alt) | Common alternate secure web port, often used by admin consoles/appliances. |
| 9200 | Elasticsearch | Frequently found exposed with no authentication, leaking entire indices. |
| 27017 | MongoDB | Historically a very common "exposed database with no auth" finding. |