Common Network Ports and Protocols Every Security Pro Should Know
A reference guide to the most important network ports and protocols, why they matter for security, and what to watch for.
Last updated Apr 7, 2026Current
Continue your mission
A reference guide to the most important network ports and protocols, why they matter for security, and what to watch for.
Every network service listens on a specific port. Knowing which ports map to which services allows you to identify what is running on a system, spot unauthorized services, and understand what traffic your firewall rules should permit or block. Port awareness is fundamental to vulnerability scanning, incident response, and network monitoring.
Port 22, SSH (Secure Shell): Used for encrypted remote command-line access and secure file transfer (SFTP/SCP). If you see SSH exposed to the internet, ensure it uses key-based authentication rather than passwords, and consider moving it to a non-standard port to reduce automated brute-force noise.
Port 25, SMTP (Simple Mail Transfer Protocol): Used for sending email between mail servers. Open SMTP relays are a classic misconfiguration that spammers exploit. Modern email security layers SPF, DKIM, and DMARC on top of SMTP.
Port 53, DNS (Domain Name System): Handles domain name resolution over both UDP (standard queries) and TCP (zone transfers, large responses). DNS is one of the most abused protocols in cybersecurity. Attackers use it for data exfiltration (DNS tunneling), command and control communication, and cache poisoning.
Ports 80 and 443, HTTP and HTTPS: The backbone of web traffic. Port 80 is unencrypted HTTP; port 443 is TLS-encrypted HTTPS. Any sensitive application should run exclusively on 443. If you see port 80 open, it should only redirect to 443.
Port 135, Microsoft RPC: Used by Windows for various services including DCOM and WMI. Frequently targeted by worms and lateral movement techniques. It should never be exposed to the internet.
Ports 137-139, NetBIOS: Legacy Windows networking ports used for name resolution and file sharing. These should be blocked at the perimeter and ideally disabled on endpoints that do not need them.
Port 445, SMB (Server Message Block): Windows file sharing protocol. The EternalBlue exploit that powered WannaCry and NotPetya targeted SMB on port 445. Block this at your firewall perimeter without exception.
Port 3306, MySQL: Default port for MySQL database connections. Databases should never be directly accessible from the internet. Use a bastion host or VPN for remote administration.
Port 3389, RDP (Remote Desktop Protocol): Windows remote desktop. Exposing RDP to the internet is one of the most common entry points for ransomware operators. Always place RDP behind a VPN or use a remote access gateway with MFA.
Port 5432, PostgreSQL: Default port for PostgreSQL. Same guidance as MySQL: keep it off the internet and behind network controls.
Port 8080 and 8443: Common alternative ports for HTTP and HTTPS, often used by web application servers, proxies, and development environments. Do not assume these are less important than 80/443.
When you run a scan with Nmap (nmap -sV target), the tool probes open ports and attempts to identify the service and version running behind each one. Version detection is critical because an outdated service version may have known exploitable vulnerabilities.
Firewall rules should follow the principle of least privilege: open only the ports that specific services require, restrict source IPs where possible, and log all denied connection attempts. Regularly audit open ports with both internal and external scans.
High-numbered ports (above 1024) with unexpected listening services may indicate backdoors, reverse shells, or unauthorized applications. Common red flags include: outbound connections on unusual ports, services running on ports that do not match their expected protocol (like HTTP traffic on port 53, which may indicate DNS tunneling), and internal hosts scanning ranges of ports on other internal systems.
Document your organization's expected port usage in a baseline, and configure your monitoring tools to alert on deviations.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.