// ports
Common Ports Cheat Sheet (TCP & UDP)
Every TCP and UDP port network engineers, NOC analysts and security teams actually see in tickets — grouped by category with operational notes, not just IANA assignments. Bookmark this. It answers 90% of 'what port is X?' questions in one glance.
Updated
Web & HTTP
| Port | Proto | Service | Notes |
|---|---|---|---|
| 80 | TCP | HTTP | Plain web — should redirect to 443. |
| 443 | TCP | HTTPS | TLS web. Most common open port today. |
| 8080 | TCP | HTTP-alt | Common dev / reverse-proxy port. |
| 8443 | TCP | HTTPS-alt | Common admin UI / app server port. |
| 3000 | TCP | Node / React dev | Default for Next.js, Vite preview, Express. |
| 5000 | TCP | Flask / .NET dev | Default dev server port. |
Remote access
| Port | Proto | Service | Notes |
|---|---|---|---|
| 22 | TCP | SSH / SFTP | Remote shell + secure file transfer. |
| 23 | TCP | Telnet | Cleartext — disable wherever found. |
| 3389 | TCP | RDP | Windows remote desktop. Never expose to internet. |
| 5900 | TCP | VNC | Remote desktop. Tunnel over SSH. |
| 5985/5986 | TCP | WinRM | 5985 HTTP, 5986 HTTPS. |
Email (SMTP / IMAP / POP3)
| Port | Proto | Service | Notes |
|---|---|---|---|
| 25 | TCP | SMTP | Server-to-server mail relay. |
| 110 | TCP | POP3 | Legacy mail retrieval (cleartext). |
| 143 | TCP | IMAP | Mail retrieval (cleartext). |
| 465 | TCP | SMTPS | SMTP over implicit TLS (legacy submission). |
| 587 | TCP | SMTP submission | Authenticated submission with STARTTLS — use for clients. |
| 993 | TCP | IMAPS | IMAP over TLS. |
| 995 | TCP | POP3S | POP3 over TLS. |
Network services (DNS, DHCP, NTP, SNMP)
| Port | Proto | Service | Notes |
|---|---|---|---|
| 53 | TCP/UDP | DNS | UDP for queries, TCP for AXFR / responses > 512B. |
| 67/68 | UDP | DHCP | 67 server, 68 client. |
| 69 | UDP | TFTP | Switch/router image transfer. |
| 123 | UDP | NTP | Time sync. Critical for auth & logs. |
| 161/162 | UDP | SNMP | 161 polling, 162 traps. Use v3. |
| 179 | TCP | BGP | Border Gateway Protocol peering. |
| 514 | UDP | Syslog | Log shipping to collector. |
| 520 | UDP | RIP | Legacy routing protocol. |
File sharing & transfer
| Port | Proto | Service | Notes |
|---|---|---|---|
| 20/21 | TCP | FTP | Data / control. Cleartext — avoid. |
| 115 | TCP | SFTP (legacy) | Note: modern SFTP runs over SSH on 22. |
| 137-139 | TCP/UDP | NetBIOS | Legacy SMB. Block at perimeter. |
| 445 | TCP | SMB | Windows file sharing. Patch & restrict. |
| 2049 | TCP/UDP | NFS | Network File System. |
| 873 | TCP | rsync | Native rsync daemon (not over SSH). |
Databases
| Port | Proto | Service | Notes |
|---|---|---|---|
| 1433 | TCP | MSSQL | Microsoft SQL Server. |
| 1521 | TCP | Oracle DB | Oracle TNS listener. |
| 3306 | TCP | MySQL / MariaDB | Authenticate; never expose publicly. |
| 5432 | TCP | PostgreSQL | Use SSL + pg_hba.conf rules. |
| 6379 | TCP | Redis | Default cleartext. Bind to localhost / require AUTH. |
| 9200/9300 | TCP | Elasticsearch | 9200 REST, 9300 transport. |
| 11211 | TCP/UDP | Memcached | Disable UDP — used for reflection DDoS. |
| 27017 | TCP | MongoDB | Default cleartext. Authenticate. |
Directory, auth & VPN
| Port | Proto | Service | Notes |
|---|---|---|---|
| 88 | TCP/UDP | Kerberos | AD authentication. |
| 135 | TCP | MS RPC | Windows endpoint mapper. |
| 389 | TCP/UDP | LDAP | Directory services (cleartext). |
| 636 | TCP | LDAPS | LDAP over TLS. |
| 500 | UDP | IKE / IPsec | VPN key exchange. |
| 1194 | UDP | OpenVPN | Default OpenVPN port. |
| 1701 | UDP | L2TP | Layer 2 Tunneling Protocol. |
| 1723 | TCP | PPTP | Legacy VPN — insecure. |
| 4500 | UDP | IPsec NAT-T | IKE traversal through NAT. |
| 51820 | UDP | WireGuard | Modern VPN default. |
VoIP & media
| Port | Proto | Service | Notes |
|---|---|---|---|
| 1935 | TCP | RTMP | Live video streaming (Flash legacy + still common in OBS). |
| 3478 | TCP/UDP | STUN / TURN | WebRTC NAT traversal. |
| 5060/5061 | TCP/UDP | SIP / SIPS | VoIP signaling. 5061 = TLS. |
| 5004/5005 | UDP | RTP / RTCP | Voice/video media + control. |
IANA port ranges
The 16-bit TCP and UDP port space (0–65535) is split into three ranges by RFC 6335.
| Range | Name | Notes |
|---|---|---|
| 0 – 1023 | Well-known ports | Assigned by IANA. Bind requires root on Unix. |
| 1024 – 49151 | Registered ports | Vendor-registered (e.g. 3306 MySQL, 5432 Postgres). |
| 49152 – 65535 | Ephemeral / dynamic | Client source ports, RFC 6335. |
Never expose these to the internet
The ports most commonly responsible for breaches when left open. Put them behind a VPN, SSH tunnel or zero-trust proxy.
| Port | Service | Why it's dangerous |
|---|---|---|
| 23 | Telnet | Cleartext credentials. |
| 445 | SMB | Wormable history (WannaCry, EternalBlue). |
| 3389 | RDP | Brute-force + ransomware vector #1. |
| 1433 / 3306 / 5432 / 6379 / 27017 | Databases | Direct data exfiltration if exposed. |
| 161 | SNMP v1/v2c | Community strings sniffed in cleartext. |
| 5900 | VNC | Often unauthenticated by default. |
Quick lookup tips
- On Linux:
getent services 443orcat /etc/services | grep -w 443. - See what's listening:
ss -tulpn(Linux) ornetstat -ano(Windows). - Test a remote port:
nc -zv host 443ornmap -p 443 host. - Ephemeral range on Linux:
cat /proc/sys/net/ipv4/ip_local_port_range.
// free download
Get the Network Engineer Starter Pack
A printable 5-page PDF: first-60-seconds triage, modern Linux network commands, BGP show commands & path-selection order, and a symptom → root-cause map. Free, no fluff.
FAQ
- What's the difference between TCP and UDP ports?
- Same 16-bit number space, but they're separate. TCP port 53 and UDP port 53 are independent endpoints. TCP is connection-oriented and reliable; UDP is connectionless and fast — used for DNS, NTP, VoIP and streaming.
- Which ports should never be exposed to the public internet?
- RDP (3389), SMB (445), Telnet (23), all database ports (1433, 3306, 5432, 27017, 6379, 9200), SNMP (161) and Memcached (11211 UDP). Put them behind a VPN, SSH tunnel or zero-trust proxy.
- What's the difference between SMTP ports 25, 465 and 587?
- 25 is server-to-server relay (often blocked outbound by ISPs). 465 is legacy implicit-TLS submission. 587 is the modern client submission port using STARTTLS with authentication. Use 587 for clients, 25 only for MTA-to-MTA.
- Why does DNS use both TCP and UDP port 53?
- UDP for normal queries (small and fast). TCP for zone transfers (AXFR/IXFR) and any response larger than 512 bytes (or 4096 with EDNS). DNS over TLS uses 853, DNS over HTTPS uses 443.
- What's the range of well-known ports?
- 0–1023 are well-known (assigned by IANA, require root to bind on Unix). 1024–49151 are registered ports. 49152–65535 are ephemeral / dynamic ports used as client source ports (RFC 6335).
- What port does SFTP use?
- Modern SFTP runs over SSH on port 22 — it's a subsystem of SSH, not the old standalone protocol. The legacy port 115 (SFTP over its own protocol) is essentially never used today. FTPS is different — that's FTP with TLS on 21 (explicit) or 990 (implicit).
- How many TCP ports exist in total?
- 65,536 (0–65535) for TCP and another 65,536 for UDP — they're separate namespaces. Port 0 is reserved and shouldn't be used.
- What ports does Active Directory use?
- Kerberos (88 TCP/UDP), LDAP (389), LDAPS (636), Global Catalog (3268/3269), DNS (53), SMB (445), RPC endpoint mapper (135) and a dynamic RPC range (49152–65535 on modern Windows).