Want to learn more?
Understand TCP/UDP ports, well-known port numbers, and their role in network security.
Read the guideFirewall Rules Causing Issues?
Our team audits firewall configurations, optimizes rules, and ensures secure network segmentation.
What Is a Port Reference Guide
A port reference provides a comprehensive lookup of TCP and UDP port numbers, their assigned protocols, and their security implications. Ports are logical endpoints that operating systems use to direct network traffic to the correct application—like apartment numbers in a building. Understanding which services run on which ports is fundamental to network administration, firewall configuration, and security operations.
The Internet Assigned Numbers Authority (IANA) maintains the official port registry, dividing the 65,535 available ports per protocol into three ranges: Well-Known Ports (0-1023), Registered Ports (1024-49151), and Dynamic/Ephemeral Ports (49152-65535). Security professionals need to know these assignments to interpret network scans, write firewall rules, and identify potentially malicious traffic.
How Network Ports Work
When a client connects to a server, it specifies both an IP address and a port number. The server listens on a specific port for incoming connections. The combination of IP address + port number + protocol (TCP or UDP) uniquely identifies a network service.
| Port | Protocol | Service | Security Notes |
|---|---|---|---|
| 22 | TCP | SSH | Secure remote access; target for brute-force attacks |
| 25 | TCP | SMTP | Email relay; often blocked to prevent spam |
| 53 | TCP/UDP | DNS | Name resolution; DNS tunneling risk |
| 80 | TCP | HTTP | Unencrypted web traffic |
| 443 | TCP | HTTPS | Encrypted web traffic (TLS) |
| 445 | TCP | SMB | File sharing; historically vulnerable (WannaCry) |
| 1433 | TCP | MSSQL | Database; should never be internet-exposed |
| 3306 | TCP | MySQL | Database; restrict to localhost or VPN |
| 3389 | TCP | RDP | Remote desktop; major attack target |
| 5432 | TCP | PostgreSQL | Database; restrict access carefully |
| 8080 | TCP | HTTP Alt | Common for proxies and dev servers |
| 8443 | TCP | HTTPS Alt | Common for management interfaces |
Port states in scanning:
- Open: A service is actively listening and accepting connections
- Closed: The port is accessible but no service is listening
- Filtered: A firewall is blocking the port; no response received
Common Use Cases
- Firewall rule creation: Know which ports to allow/block based on required services
- Network scanning interpretation: Understand what services Nmap or Nessus results indicate
- Incident investigation: Identify unusual port activity that may indicate compromise or data exfiltration
- Server hardening: Determine which ports should be open and close everything else
- Application deployment: Configure the correct ports for web servers, databases, and APIs
Best Practices
- Follow the principle of least privilege — Only open ports that are required for business operations
- Never expose database ports to the internet — MySQL (3306), PostgreSQL (5432), and MSSQL (1433) should be accessible only from application servers
- Use non-standard ports cautiously — Moving SSH from 22 to another port reduces noise but is not a security control; attackers scan all ports
- Monitor for unauthorized listeners — Regularly audit which processes are listening on which ports with tools like
netstatorss - Block outbound ports by default — Egress filtering prevents malware from establishing command-and-control connections on non-standard ports
References & Citations
- Internet Assigned Numbers Authority. (2024). IANA Port Number Registry. Retrieved from https://www.iana.org/assignments/service-names-port-numbers/ (accessed January 2025)
- Gordon "Fyodor" Lyon. (2009). Nmap Network Scanning Guide. Retrieved from https://nmap.org/book/ (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Key Security Terms
Understand the essential concepts behind this tool
Frequently Asked Questions
Common questions about the Port Reference
Network ports are logical endpoints in TCP/IP networking, numbered 0-65535, that enable multiple services to operate on a single IP address. Ports direct traffic to specific applications: web servers use 80/443, email uses 25/587/993, SSH uses 22. Understanding ports is essential for firewall configuration, troubleshooting connectivity, and securing network services properly.
TCP (Transmission Control Protocol) provides reliable, connection-oriented communication with error checking and guaranteed delivery. UDP (User Datagram Protocol) offers connectionless, faster communication without delivery guarantees. TCP suits applications needing reliability (HTTP, SSH, email); UDP suits speed-critical services (DNS, streaming, gaming). Many services support both protocols on the same port.
Well-known ports (0-1023) are reserved for common services by IANA and require administrator privileges. Examples: 22 (SSH), 80 (HTTP), 443 (HTTPS). Registered ports (1024-49151) are assigned to specific applications by IANA but don't require privileges. Dynamic/private ports (49152-65535) are temporary ports for client connections. Always verify port assignments before deployment.
Block inbound connections on all ports except those explicitly required for services. High-risk ports include: 23 (Telnet), 135-139/445 (SMB/NetBIOS), 3389 (RDP), 5900 (VNC). Allow only: 80/443 for web, 22 for SSH (change default), required application ports. Implement egress filtering too, blocking unexpected outbound connections to prevent data exfiltration and command-and-control communication.
Attackers frequently target: 22 (SSH brute force), 23 (Telnet default credentials), 80/443 (web vulnerabilities), 3389 (RDP attacks), 445 (SMB exploits like WannaCry), 21 (FTP), 1433/3306 (databases). They also scan high ports for backdoors and use non-standard ports to evade detection. Monitor all open ports, not just common targets, with intrusion detection systems.
Windows: Run "netstat -ano" or "Get-NetTCPConnection" in PowerShell. Linux/Mac: Run "netstat -tuln", "ss -tuln", or "lsof -i". External scanning: Use nmap ("nmap -sT [IP]") or online port scanners. Always scan from both internal and external perspectives to understand exposure. Document all open ports and their purposes for security baseline and compliance.
Changing default ports provides minimal security through obscurity. It reduces automated scanning but determined attackers will discover services regardless. Better strategies: disable unnecessary services, use strong authentication, keep software updated, implement network segmentation, and monitor traffic. If changing ports, document changes carefully and ensure monitoring tools reflect new configurations to avoid blind spots.
Port forwarding redirects external traffic to internal network devices, enabling services like remote desktop, web servers, or game servers behind NAT. Configure on routers to map external ports to internal IP:port combinations. Use cautiously: each forwarded port increases attack surface. Prefer VPN access over port forwarding. If necessary, use non-standard ports, strong authentication, and monitor logs regularly.
Block unused ports and known-vulnerable services like Telnet (23), NetBIOS (135-139, 445), and RDP (3389) unless needed. Allow only essential services through specific ports. Implement default-deny policies where all traffic is blocked except explicitly allowed connections.
TCP (Transmission Control Protocol) is connection-oriented with guaranteed delivery, ordering, and error checking - ideal for web, email, and file transfers. UDP (User Datagram Protocol) is connectionless with no delivery guarantees but lower latency - used for streaming, gaming, and DNS.