Ports#
Well-known application ports an operator is most likely to encounter, ordered roughly from most-common (in everyday work) to least-common.
Port range conventions:
0-1023, well-known / system ports; require privileges to bind on Unix.
1024-49151, registered / user ports; many vendors use these.
49152-65535, ephemeral / dynamic ports; OS chooses for outbound connections.
Daily Encounter#
The fifteen ports an operator sees most often. SSH and HTTPS account for most allow-list rules; the database and message-broker ports show up in every microservice deployment; the dev-server ports (3000, 8080, 8443) are the ones you forget and then remember when nothing connects.
Port |
Protocol |
Service |
|---|---|---|
22 |
TCP |
SSH (and SCP / SFTP / rsync over SSH) |
443 |
TCP / UDP |
HTTPS / HTTP-over-TLS / HTTP/3 (QUIC on UDP) |
80 |
TCP |
HTTP |
53 |
UDP / TCP |
DNS |
5432 |
TCP |
PostgreSQL |
3306 |
TCP |
MySQL / MariaDB |
6379 |
TCP |
Redis / Valkey |
27017 |
TCP |
MongoDB |
9200, 9300 |
TCP |
Elasticsearch / OpenSearch (REST, transport) |
5672, 15672 |
TCP |
RabbitMQ (AMQP, management UI) |
9092 |
TCP |
Apache Kafka |
8080 |
TCP |
HTTP-alt (proxies, dev servers, Tomcat default) |
8443 |
TCP |
HTTPS-alt |
3000 |
TCP |
dev servers (React, Node, Grafana default) |
Common#
The next tier, ports that come up regularly but not every day. Mail (SMTP, IMAP, POP3 with their TLS variants); legacy Windows admin (RDP, SMB, NetBIOS); time and config services (NTP, DHCP, SNMP); and the remaining well-known protocols you should be able to identify without looking up.
Port |
Protocol |
Service |
|---|---|---|
25 |
TCP |
SMTP (server-to-server) |
587 |
TCP |
SMTP submission (client → server, with STARTTLS) |
465 |
TCP |
SMTPS (implicit TLS) |
143 |
TCP |
IMAP |
993 |
TCP |
IMAPS |
110 |
TCP |
POP3 |
995 |
TCP |
POP3S |
21 |
TCP |
FTP control |
20 |
TCP |
FTP data (active mode) |
69 |
UDP |
TFTP |
123 |
UDP |
NTP |
67, 68 |
UDP |
DHCP server / client |
161, 162 |
UDP |
SNMP / SNMP traps |
389 |
TCP / UDP |
LDAP |
636 |
TCP |
LDAPS |
8000 |
TCP |
HTTP-alt (Django default, Python |
8888 |
TCP |
Jupyter |
4200 |
TCP |
Angular dev server |
5000 |
TCP |
Flask, .NET Kestrel default |
3001-3010 |
TCP |
common dev / staging ports |
Cloud-Native and Ops#
The Kubernetes / observability / HashiCorp ports an SRE meets weekly. 6443 and the kubelet ports define the cluster control plane; the Prometheus / Grafana / OpenTelemetry stack is the observability defaults; Vault, Consul, and Nomad fill the secrets / service-discovery / scheduling layers.
Port |
Protocol |
Service |
|---|---|---|
6443 |
TCP |
Kubernetes API server |
10250 |
TCP |
kubelet |
10257 |
TCP |
kube-controller-manager (metrics) |
10259 |
TCP |
kube-scheduler (metrics) |
2379, 2380 |
TCP |
etcd (client, peer) |
30000-32767 |
TCP / UDP |
Kubernetes NodePort range |
2375 |
TCP |
Docker (unencrypted, never expose) |
2376 |
TCP |
Docker over TLS |
9090 |
TCP |
Prometheus |
9093 |
TCP |
Alertmanager |
9100 |
TCP |
node_exporter (Prometheus) |
3000 |
TCP |
Grafana |
4317, 4318 |
TCP |
OpenTelemetry collector (gRPC, HTTP) |
5601 |
TCP |
Kibana / OpenSearch Dashboards |
8500, 8600 |
TCP |
Consul (HTTP, DNS) |
8200 |
TCP |
HashiCorp Vault |
4646 |
TCP |
HashiCorp Nomad |
Databases (Beyond the Big Three)#
PostgreSQL, MySQL, and Redis cover most cases; the table below is everything else operators encounter, enterprise SQL (MSSQL, Oracle, DB2), wide-column and time-series stores (Cassandra, InfluxDB, ClickHouse), document and graph stores, and the vector / search ports that show up around modern ML workloads.
Port |
Protocol |
Service |
|---|---|---|
1433 |
TCP |
Microsoft SQL Server |
1521 |
TCP |
Oracle Database |
50000 |
TCP |
IBM DB2 |
9042 |
TCP |
Cassandra / ScyllaDB (CQL) |
7000, 7001 |
TCP |
Cassandra inter-node, TLS |
8086 |
TCP |
InfluxDB |
8123 |
TCP |
ClickHouse (HTTP) |
9000 |
TCP |
ClickHouse (native) |
6333 |
TCP |
Qdrant |
8081 |
TCP |
Schema Registry / various dashboards |
5984 |
TCP |
CouchDB |
7474, 7687 |
TCP |
Neo4j (HTTP, Bolt) |
11211 |
TCP / UDP |
Memcached |
Messaging and Streaming#
The pub-sub and message-broker ports beyond Kafka and RabbitMQ (which live in “Daily Encounter”). MQTT and its TLS variant are the IoT defaults; NATS and NSQ show up in microservices stacks where Kafka would be overkill.
Port |
Protocol |
Service |
|---|---|---|
1883 |
TCP |
MQTT |
8883 |
TCP |
MQTT over TLS |
4222 |
TCP |
NATS |
6222 |
TCP |
NATS routing |
8222 |
TCP |
NATS HTTP monitoring |
4150, 4151 |
TCP |
NSQ (TCP, HTTP) |
Remote Access and File Sharing#
The remote-administration and file-share ports. RDP / VNC for graphical remote access; the SMB / NetBIOS family for Windows file sharing (and the bulk of legacy Windows-network attack surface); NFS for Unix file sharing; rsync daemon for incremental sync.
Port |
Protocol |
Service |
|---|---|---|
3389 |
TCP |
RDP (Windows Remote Desktop) |
5900-5910 |
TCP |
VNC |
137-139 |
UDP / TCP |
NetBIOS |
445 |
TCP |
SMB / CIFS |
2049 |
TCP / UDP |
NFS |
873 |
TCP |
rsync daemon |
Voice / Video / Real-Time#
The realtime-media ports. SIP for VoIP signaling, RTP for media, STUN / TURN for NAT traversal, RTMP for legacy live-streaming. WebRTC media floats over an ephemeral UDP range, which is why firewalling it cleanly is unusually painful.
Port |
Protocol |
Service |
|---|---|---|
5060 |
TCP / UDP |
SIP |
5061 |
TCP |
SIP-TLS |
3478 |
UDP / TCP |
STUN / TURN |
5349 |
TCP |
TURN-TLS |
1935 |
TCP |
RTMP (legacy streaming) |
5000-65000 |
UDP |
WebRTC media (RTP), ephemeral |
Security and Identity#
The auth and tunneling ports operators meet around identity and VPN work. Kerberos and RADIUS for enterprise auth; IPsec / IKE for site-to-site VPN; OpenVPN and WireGuard for the modern site-to-site and roaming-user options.
Port |
Protocol |
Service |
|---|---|---|
88 |
TCP / UDP |
Kerberos |
464 |
TCP / UDP |
Kerberos password change |
749, 750 |
TCP |
Kerberos administration |
1812, 1813 |
UDP |
RADIUS auth, accounting |
1701 |
UDP |
L2TP |
500, 4500 |
UDP |
IKE / IPsec NAT-T |
1194 |
UDP / TCP |
OpenVPN |
51820 |
UDP |
WireGuard |
Older / Less Common#
Ports that come up in legacy work, niche protocols, or when something on a port scan is unfamiliar. Telnet and Finger are historical (and almost always wrong to allow); IRC remains alive in some communities; the cryptocurrency, Tor, and proxy ports appear in network-recon hits.
Port |
Protocol |
Service |
|---|---|---|
23 |
TCP |
Telnet (avoid) |
79 |
TCP |
Finger |
113 |
TCP |
Ident |
119 |
TCP |
NNTP (Usenet) |
194 |
TCP |
IRC |
6660-6669 |
TCP |
IRC (alternate) |
6667 |
TCP |
IRC (default) |
6697 |
TCP |
IRC over TLS |
8333 |
TCP |
Bitcoin |
30303 |
TCP / UDP |
Ethereum |
9001, 9030 |
TCP |
Tor |
1080 |
TCP |
SOCKS proxy |
3128 |
TCP |
Squid HTTP proxy |
Privileged Range Caveat#
On Linux / Unix, binding to ports below 1024 requires either root
or the CAP_NET_BIND_SERVICE capability:
$ sudo setcap cap_net_bind_service=+ep ./my_server
Where to Look It Up#
The authoritative sources when this table doesn’t have what you
need. IANA holds the standard registry; /etc/services is the
local subset distributed with the OS; getent services is the
scriptable lookup that respects the system’s configured order.
IANA Service Name and Transport Protocol Port Number Registry, the standard list.
/etc/serviceson most Unix systems, a curated subset.getent services <name>, look up a single name from the system’s copy.
See Also#
Networking,
ss,lsof, firewall basics.