Port Ranges
| Range | Name | Typical Use |
|---|---|---|
| 0–1023 | System / well-known ports | Core services: HTTP, HTTPS, DNS, SSH, SMTP |
| 1024–49151 | Registered ports | Databases, applications, vendor-specific services |
| 49152–65535 | Dynamic / ephemeral ports | Temporary client-side ports assigned by the OS for outgoing connections |
Well-known ports are assigned by IANA and require OS-level privilege to bind on Unix-like systems. Registered ports are documented but generally do not require special permissions. Ephemeral ports are assigned automatically by the operating system for the client side of a TCP or UDP connection — when your browser connects to a web server, it picks a random ephemeral port as its source port while the server listens on 443.
Comprehensive Well-Known Port Reference
| Port | Transport | Service | Notes |
|---|---|---|---|
| 20 | TCP | FTP data | Active mode data channel; largely replaced by SFTP and FTPS |
| 21 | TCP | FTP control | Command channel for FTP; transmits credentials in plaintext |
| 22 | TCP | SSH / SFTP / SCP | Encrypted remote login, file transfer, and tunneling |
| 23 | TCP | Telnet | Unencrypted remote terminal; should not be used on modern networks |
| 25 | TCP | SMTP (relay) | Server-to-server email delivery; ISPs often block outbound 25 on residential lines |
| 53 | UDP/TCP | DNS | UDP for queries; TCP for zone transfers and large responses |
| 67 | UDP | DHCP server | Server listens for client address requests |
| 68 | UDP | DHCP client | Client receives address assignment from server |
| 80 | TCP/UDP | HTTP | Unencrypted web; browsers redirect to HTTPS on most modern sites |
| 110 | TCP | POP3 | Email retrieval; plaintext; largely replaced by IMAP and IMAPS |
| 123 | UDP | NTP | Network Time Protocol; time synchronization for all networked systems |
| 143 | TCP | IMAP | Email retrieval without encryption; prefer IMAPS (993) |
| 161/162 | UDP | SNMP | Network device monitoring and management |
| 389 | TCP | LDAP | Directory services; plaintext; prefer LDAPS (636) |
| 443 | TCP/UDP | HTTPS / HTTP/3 | Encrypted web; UDP 443 used by QUIC/HTTP/3 |
| 445 | TCP | SMB | Windows file and printer sharing; should not be exposed to the internet |
| 465 | TCP | SMTPS (legacy) | Implicit TLS for email submission; superseded by 587 with STARTTLS |
| 514 | UDP | Syslog | System log forwarding; plaintext by default |
| 587 | TCP | SMTP submission | Client-to-server email sending with STARTTLS; preferred over 465 and 25 |
| 636 | TCP | LDAPS | LDAP over TLS for encrypted directory access |
| 993 | TCP | IMAPS | IMAP over TLS; standard for secure email retrieval |
| 995 | TCP | POP3S | POP3 over TLS |
| 3389 | TCP/UDP | RDP | Windows Remote Desktop; high-value target for brute-force attacks if exposed |
| 5900 | TCP | VNC | Remote desktop protocol; encrypt with SSH tunnel if used over untrusted networks |
| 8080 | TCP | Alternate HTTP | Development servers, proxies, admin panels; not a standard port |
| 8443 | TCP | Alternate HTTPS | Admin interfaces and test services using TLS on a non-standard port |
Common Database and Application Ports
| Port | Service | Security Note |
|---|---|---|
| 1433 | Microsoft SQL Server | Bind to localhost or restrict with firewall; never expose to the public internet |
| 1521 | Oracle Database | Common in enterprise environments; restrict to app-server IPs only |
| 3306 | MySQL / MariaDB | Default binds to all interfaces on some installations; restrict immediately |
| 5432 | PostgreSQL | Defaults to localhost; commonly opened for app servers on the same LAN |
| 6379 | Redis | No authentication by default; dangerous if exposed to any untrusted network |
| 27017 | MongoDB | Has been found internet-exposed without auth; always firewall and enable auth |
How Firewalls Use Port Numbers
Firewalls use port numbers as a primary filter for allowing or blocking traffic. A rule that allows inbound TCP 443 from any source permits HTTPS to reach a web server. A rule that blocks outbound TCP 25 prevents users from sending email directly (common on residential ISP networks to reduce spam). Stateful firewalls track connection state, so they automatically allow inbound packets that are replies to outbound connections — the ephemeral destination port is matched against the connection table rather than requiring an explicit inbound rule for each ephemeral port.
Checking Open Ports
Several tools let you see what ports are open and what is listening on a system:
ss -tlnp(Linux) — Lists TCP listening sockets with process names. Faster and more capable than netstat on modern Linux systems.netstat -an(Windows/Linux/macOS) — Displays active connections and listening ports. On Windows, add-bto show the process behind each port.nmap -sT -p 1-1024 192.168.1.1— Scans a remote host's well-known ports from outside. Useful for verifying firewall rules from the network perspective.lsof -i :8080(macOS/Linux) — Shows which process has a specific port open.
Why Attackers Scan Common Ports
Automated scanners probe the internet constantly for open well-known ports. Port 22 is scanned for weak SSH passwords. Port 3389 is scanned for RDP brute force. Ports 1433, 3306, and 27017 are scanned for exposed databases with weak or no authentication. Port 8080 and 8443 are scanned for admin panels and developer tools accidentally left running. An open port on a public IP will receive probes within minutes of appearing. Any service that does not need to be publicly accessible should be blocked at the firewall or bound only to loopback or LAN addresses.
TCP vs UDP Ports
The same port number can exist independently for TCP and UDP. Port 53/udp and port 53/tcp are both DNS but serve different use cases. A firewall rule allowing TCP 53 does not automatically allow UDP 53. When configuring rules, always specify the transport protocol explicitly to avoid gaps or unintended openings.
Ports Are Conventions, Not Guarantees
Standard ports help clients know where to connect by default. A browser assumes HTTPS is on port 443 unless a URL says otherwise. But any service can listen on any port if configured that way. Port scans reveal open ports, not guaranteed service identity — a web server could be running on port 9000, and an SSH honeypot could be listening on port 22.
Frequently Asked Questions
What is port 443 used for?
Port 443 is the standard port for HTTPS. Modern HTTP/3 also commonly uses UDP 443 with QUIC.
What is port 53 used for?
Port 53 is used for DNS. Most normal DNS queries use UDP 53, while TCP 53 is used for larger responses, zone transfers, and fallback cases.
Can a service use a different port than the standard one?
Yes. Port numbers are conventions, not magic. A web server can listen on 8080 or 8443, but clients must know which port to connect to.