by

Common Network Ports: What They Are and What They Do

TL;DR — Key Takeaways

  • Network ports are logical endpoints that allow multiple services to share a single IP address — think of the IP address as a building’s street address and the port number as the apartment number.
  • There are 65,535 ports available, divided into three ranges: well-known (0–1023), registered (1024–49151), and dynamic/ephemeral (49152–65535).
  • TCP ports provide reliable, connection-oriented communication, while UDP ports offer faster, connectionless delivery — each protocol uses its own independent set of port numbers.
  • Every IT professional should memorize the most critical port numbers: 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 445 (SMB), and 3389 (RDP).
  • Open network ports are attack surfaces — port scanning, firewall rules, and the principle of least privilege are fundamental to network security.
  • Commands like netstat, ss, and nmap let you check which ports are open and listening on any system.

If an IP address tells the internet which device to reach, a network port tells it which service on that device should handle the traffic. Without ports, a single server could only run one networked application at a time — no web server alongside an email server, no SSH alongside a database.

The analogy is straightforward: your IP address is the street address of an apartment building, and the port number is the apartment number. Mail carriers (packets) need both pieces of information to deliver to the right place. Port 80 might be the web server’s apartment, port 22 might be SSH’s apartment, and port 3306 might belong to MySQL — all in the same building, all reachable at the same IP address.

Understanding common port numbers is essential whether you’re troubleshooting connectivity issues, writing firewall rules, deploying applications, or preparing for certifications like CompTIA Security+, Network+, or CCNA. In this guide, we’ll explain how network ports work, walk through every port number you need to know by category, and show you how to check which ports are open on your systems.

How Network Ports Work

Network ports operate at Layer 4 (the Transport Layer) of the OSI model, which is the layer responsible for end-to-end communication between applications. The two primary transport protocols — TCP and UDP — both use port numbers to multiplex traffic, but they handle delivery very differently.

TCP vs UDP

TCP (Transmission Control Protocol) is connection-oriented. Before any data is exchanged, TCP establishes a session through a three-way handshake (SYN, SYN-ACK, ACK). It guarantees that packets arrive in order, retransmits lost segments, and provides flow control. This reliability makes TCP the standard for web traffic, email, file transfers, and remote access — any scenario where missing or reordered data would be a problem.

UDP (User Datagram Protocol) is connectionless. It sends datagrams without establishing a session and provides no guarantees about delivery, ordering, or duplication. What UDP lacks in reliability it gains in speed and efficiency. DNS lookups, video streaming, VoIP, and online gaming all use UDP because a dropped packet is less damaging than the latency introduced by TCP’s retransmission logic.

Sockets, Source Ports, and Ephemeral Ports

A socket is the combination of an IP address and a port number (for example, 192.168.1.10:443). A network connection is uniquely identified by a tuple of four values: source IP, source port, destination IP, and destination port. This is how a web server running on port 443 can simultaneously handle thousands of connections — each client uses a different source port.

When your browser connects to a website, the destination port is a well-known port (like 443 for HTTPS), but the source port is an ephemeral port — a temporary number assigned by your operating system from the dynamic range (49152–65535 by default, though some systems use a broader range starting at 32768). Once the connection closes, that ephemeral port is released back to the pool.

Port Number Ranges

The Internet Assigned Numbers Authority (IANA) divides the 65,535 available port numbers into three distinct ranges, each serving a different purpose.

Range Name Description
0 – 1023 Well-Known Ports Reserved for standard system services (HTTP, SSH, DNS, etc.). On Unix/Linux systems, binding to these ports requires root privileges. These are the ports you’ll encounter most frequently and the ones that appear on certification exams.
1024 – 49151 Registered Ports Assigned by IANA upon request for specific applications and services (MySQL on 3306, RDP on 3389, PostgreSQL on 5432). Any application can use these ports, but the registrations help prevent conflicts.
49152 – 65535 Dynamic / Ephemeral Ports Used temporarily by the operating system for outbound connections. When your browser opens a connection to a web server, the OS assigns a random port from this range as the source port. These are never assigned to specific services.

Most of the port numbers you need to memorize for daily work and certifications fall within the well-known and registered ranges. You can search our port reference database for a complete lookup of any port number and its assigned service.

Essential Ports Every IT Professional Should Know

The following sections organize the most important common port numbers by functional category. For each port, we list the number, protocol (TCP, UDP, or both), service name, and a practical explanation of what it does.

Web Traffic

  • Port 80 — HTTP (TCP) — The default port for unencrypted web traffic. When you type a URL without specifying https://, your browser connects on port 80. While still widely used, most modern sites redirect port 80 traffic to port 443.
  • Port 443 — HTTPS (TCP) — The default port for encrypted web traffic using TLS/SSL. HTTPS on port 443 is now the standard for virtually all websites. Search engines prioritize HTTPS sites, and browsers flag HTTP-only sites as “Not Secure.”
  • Port 8080 — HTTP Alternate (TCP) — A common alternative HTTP port used by web proxies, development servers, and application servers like Tomcat. Since it falls outside the well-known range, it doesn’t require root privileges to bind.
  • Port 8443 — HTTPS Alternate (TCP) — The encrypted counterpart to 8080, often used by application servers and management interfaces (such as VMware vSphere or Unifi controllers) for HTTPS without occupying the standard 443.

Email

  • Port 25 — SMTP (TCP) — The original Simple Mail Transfer Protocol port, used for server-to-server email relay. Many ISPs and cloud providers block outbound port 25 to prevent spam, so it’s primarily used between mail servers rather than by end-user clients.
  • Port 587 — SMTP Submission (TCP) — The modern standard for email clients submitting outbound mail to a mail server. Port 587 requires authentication and supports STARTTLS encryption, making it the recommended port for sending email.
  • Port 465 — SMTPS (TCP) — Originally assigned for SMTP over implicit SSL, then deprecated, and later re-standardized in RFC 8314. Some providers still use it for encrypted email submission as an alternative to port 587.
  • Port 110 — POP3 (TCP) — Post Office Protocol version 3 downloads email from the server to a local client and typically deletes the server copy. Unencrypted by default, it’s largely been replaced by its secure variant.
  • Port 995 — POP3S (TCP) — POP3 wrapped in TLS/SSL encryption. If you still use POP3 for email retrieval, always use port 995 instead of 110.
  • Port 143 — IMAP (TCP) — Internet Message Access Protocol keeps email on the server and synchronizes across multiple devices. IMAP is the preferred protocol for most modern email clients.
  • Port 993 — IMAPS (TCP) — IMAP over TLS/SSL. This is the port you should configure in your email client for secure IMAP access to services like Gmail, Outlook, or any IMAP-capable provider.

Remote Access

  • Port 22 — SSH (TCP) — Secure Shell provides encrypted remote command-line access to Linux and Unix systems. SSH also supports secure file transfer (SFTP) and port forwarding (tunneling). What port does SSH use? Always port 22 by default, though many administrators change it to reduce brute-force login attempts.
  • Port 23 — Telnet (TCP) — An older remote access protocol that transmits everything in plaintext, including passwords. Telnet should never be used over untrusted networks. It exists primarily on legacy equipment and is a frequent target in security audits.
  • Port 3389 — RDP (TCP/UDP) — Remote Desktop Protocol, used to remotely access Windows desktops and servers with a graphical interface. RDP exposed to the internet is a major attack vector — always use a VPN or gateway in front of it.
  • Port 5900 — VNC (TCP) — Virtual Network Computing provides cross-platform remote desktop access. VNC has historically lacked strong encryption by default, so it should be tunneled through SSH or a VPN in production environments.

File Transfer

  • Ports 20/21 — FTP (TCP) — File Transfer Protocol uses port 21 for control commands and port 20 for data transfer (in active mode). FTP transmits credentials in plaintext and is being phased out in favor of SFTP and FTPS.
  • Port 69 — TFTP (UDP) — Trivial File Transfer Protocol is a simplified, unauthenticated file transfer protocol used for bootstrapping devices like network switches, routers, and PXE boot images. It has no encryption or authentication.
  • Port 22 — SFTP (TCP) — SSH File Transfer Protocol runs over the SSH connection on port 22, providing encrypted file transfers with strong authentication. SFTP is the modern replacement for FTP in most environments.
  • Port 445 — SMB (TCP) — Server Message Block handles Windows file and printer sharing. SMB has been the target of devastating exploits (EternalBlue/WannaCry), so port 445 should never be exposed to the internet.
  • Port 2049 — NFS (TCP/UDP) — Network File System is the standard for file sharing in Unix/Linux environments. NFS allows remote systems to mount directories over the network as if they were local.

DNS and Directory Services

  • Port 53 — DNS (TCP/UDP) — Domain Name System resolves domain names to IP addresses. Standard queries use UDP for speed, while zone transfers and responses larger than 512 bytes use TCP. Port 53 is one of the most critical network ports in existence. For a detailed breakdown of DNS record types, see our guide on DNS records explained.
  • Port 389 — LDAP (TCP/UDP) — Lightweight Directory Access Protocol is used to query and modify directory services like Microsoft Active Directory. LDAP traffic is unencrypted by default.
  • Port 636 — LDAPS (TCP) — LDAP over TLS/SSL provides encrypted directory queries. In enterprise environments running Active Directory, port 636 should be used instead of 389 whenever possible.
  • Port 88 — Kerberos (TCP/UDP) — The Kerberos authentication protocol is the default authentication mechanism for Windows Active Directory domains. It issues time-limited tickets that prove a user’s identity without transmitting passwords.

Database Ports

  • Port 3306 — MySQL / MariaDB (TCP) — The default port for MySQL and its fork MariaDB. Database ports should always be firewalled from public access and restricted to application servers that need connectivity.
  • Port 5432 — PostgreSQL (TCP) — The default port for PostgreSQL. Like MySQL, Postgres should never be directly reachable from the internet in production.
  • Port 1433 — Microsoft SQL Server (TCP) — The default instance port for MSSQL. SQL Server also uses UDP 1434 for the SQL Server Browser service, which helps clients discover instances.
  • Port 27017 — MongoDB (TCP) — The default port for MongoDB. Misconfigured MongoDB instances exposed to the internet have been the target of massive data theft campaigns — always require authentication and restrict access.
  • Port 6379 — Redis (TCP) — The default port for Redis, an in-memory data store. Redis historically had no authentication enabled by default, making exposed instances an easy target. Always bind to localhost or use authentication.

VPN and Tunneling

  • Port 500 — IKE / IPsec (UDP) — Internet Key Exchange is used to set up IPsec VPN tunnels. IKE negotiates the security association, and the encrypted data then flows over ESP (IP protocol 50, which is not a port).
  • Port 1194 — OpenVPN (TCP/UDP) — The default port for OpenVPN, one of the most widely deployed open-source VPN solutions. OpenVPN can run over either TCP or UDP, with UDP preferred for performance.
  • Port 51820 — WireGuard (UDP) — The default port for WireGuard, a modern VPN protocol known for its simplicity, speed, and minimal codebase compared to OpenVPN and IPsec.
  • Port 1701 — L2TP (UDP) — Layer 2 Tunneling Protocol is typically combined with IPsec (L2TP/IPsec) for encryption. L2TP alone provides tunneling without encryption.
  • Port 1723 — PPTP (TCP) — Point-to-Point Tunneling Protocol is a legacy VPN protocol with known security vulnerabilities. PPTP should be considered deprecated and replaced with WireGuard, OpenVPN, or IPsec.

Monitoring and Logging

  • Ports 161/162 — SNMP (UDP) — Simple Network Management Protocol uses port 161 for queries (polling device metrics) and port 162 for traps (devices pushing alerts). SNMPv3 adds encryption and authentication; earlier versions transmit community strings in plaintext.
  • Port 514 — Syslog (UDP) — The standard port for centralized log collection on Unix/Linux systems. Syslog sends log messages from network devices, servers, and applications to a central collector for analysis and retention.
  • Port 9090 — Prometheus (TCP) — The default port for Prometheus, a popular open-source monitoring and alerting toolkit. Prometheus scrapes metrics from configured targets at regular intervals.
  • Port 9200 — Elasticsearch (TCP) — The default HTTP port for Elasticsearch, commonly used with Kibana and Logstash (the ELK stack) for log aggregation, search, and visualization.

Ports and Security

Every open network port is a potential attack surface. If a service is listening on a port, an attacker can attempt to connect to it, probe for vulnerabilities, and exploit weaknesses in the software behind it. This is why understanding which ports are open on your systems — and why — is fundamental to network security.

Port Scanning with Nmap

Port scanning is the process of probing a host to discover which network ports are open and what services are running. Nmap is the industry-standard tool for this task, used by both security professionals and attackers alike.

# Basic TCP SYN scan of the most common 1000 ports
nmap -sS 192.168.1.1

# Scan specific ports
nmap -p 22,80,443,3306,3389 192.168.1.1

# Scan all 65535 ports with service version detection
nmap -sV -p- 192.168.1.1

# UDP scan (requires root/admin)
sudo nmap -sU -p 53,161,500 192.168.1.1

If Nmap finds a port in an open state, it means a service is actively accepting connections. A filtered state means a firewall is blocking the probe. A closed state means the port is reachable but no service is listening.

Common Attack Vectors by Port

Certain network ports are disproportionately targeted because the services behind them are high-value or historically vulnerable:

  • Port 22 (SSH) — Automated brute-force attacks attempt thousands of username/password combinations. Mitigation: use key-based authentication, disable password login, deploy fail2ban, or move SSH to a non-standard port.
  • Port 445 (SMB) — The EternalBlue exploit (CVE-2017-0144) used SMB to spread WannaCry ransomware globally. Mitigation: keep systems patched, block port 445 at the perimeter, and disable SMBv1.
  • Port 3389 (RDP) — Exposed RDP is a primary vector for ransomware attacks. Attackers brute-force credentials or exploit vulnerabilities like BlueKeep. Mitigation: never expose RDP directly to the internet; use a VPN or RD Gateway.
  • Ports 3306, 5432, 27017, 6379 (databases) — Exposed database ports lead to data theft and ransomware. Mitigation: bind to localhost or private interfaces, require authentication, and use firewall rules.

The principle of least privilege applies directly to firewall rules: only open the network ports that are strictly necessary, and restrict access to the smallest set of source IP addresses possible. Default-deny policies — blocking everything and explicitly allowing only what’s needed — are the gold standard. For a comprehensive introduction to firewall concepts and configuration, see our guide on what is a firewall.

How to Check What Ports Are Open

Knowing how to inspect which TCP ports and UDP ports are open on a system is a core skill for any IT professional. Here are the most common methods for Windows and Linux.

Windows

# Show all active connections and listening ports
netstat -an

# Filter for listening ports only
netstat -an | findstr LISTENING

# Test if a specific remote port is reachable
Test-NetConnection -ComputerName example.com -Port 443

# Example output:
# ComputerName     : example.com
# RemoteAddress    : 93.184.216.34
# RemotePort       : 443
# TcpTestSucceeded : True

Linux

# Show all listening TCP and UDP ports with process info
ss -tulnp

# Example output:
# Netid State  Recv-Q Send-Q   Local Address:Port  Peer Address:Port Process
# tcp   LISTEN 0      128      0.0.0.0:22          0.0.0.0:*         users:(("sshd",pid=1234))
# tcp   LISTEN 0      511      0.0.0.0:80          0.0.0.0:*         users:(("nginx",pid=5678))
# tcp   LISTEN 0      128      127.0.0.1:3306      0.0.0.0:*         users:(("mysqld",pid=9012))

# Scan your own machine for open ports
nmap -sT localhost

# Check if a remote port is reachable
nc -zv example.com 443

Notice the MySQL entry in the ss output above: it binds to 127.0.0.1:3306 rather than 0.0.0.0:3306. This means MySQL only accepts connections from the local machine — exactly the kind of secure configuration you want for a database that only your local application needs to reach. You can check your public IP and then use Nmap against it to see what ports are visible from the outside.

Quick Reference Table

This table summarizes the most critical common port numbers that every IT professional, security analyst, and certification candidate should have memorized. Use our port reference database to look up any port not listed here.

Port Protocol Service What It Does
20/21 TCP FTP File transfer (data on 20, control on 21)
22 TCP SSH / SFTP Encrypted remote shell access and file transfer
23 TCP Telnet Unencrypted remote access (legacy)
25 TCP SMTP Email relay between mail servers
53 TCP/UDP DNS Domain name resolution
69 UDP TFTP Simplified file transfer for device bootstrapping
80 TCP HTTP Unencrypted web traffic
88 TCP/UDP Kerberos Authentication for Active Directory domains
110 TCP POP3 Email retrieval (downloads and deletes)
143 TCP IMAP Email access with server-side sync
161/162 UDP SNMP Network device monitoring and alerts
389 TCP/UDP LDAP Directory services queries
443 TCP HTTPS Encrypted web traffic (TLS/SSL)
445 TCP SMB Windows file and printer sharing
465 TCP SMTPS SMTP over implicit TLS
500 UDP IKE / IPsec VPN tunnel negotiation
514 UDP Syslog Centralized log collection
587 TCP SMTP Submission Authenticated outbound email from clients
636 TCP LDAPS Encrypted directory services queries
993 TCP IMAPS Encrypted IMAP email access
995 TCP POP3S Encrypted POP3 email retrieval
1433 TCP MSSQL Microsoft SQL Server database
1723 TCP PPTP Legacy VPN tunneling (deprecated)
3306 TCP MySQL MySQL / MariaDB database
3389 TCP/UDP RDP Windows Remote Desktop
5432 TCP PostgreSQL PostgreSQL database
5900 TCP VNC Cross-platform remote desktop
6379 TCP Redis In-memory data store / cache
27017 TCP MongoDB NoSQL document database
51820 UDP WireGuard Modern VPN protocol

Frequently Asked Questions

What is the difference between TCP and UDP?

TCP (Transmission Control Protocol) is connection-oriented: it establishes a session with a three-way handshake, guarantees that data arrives in order, and retransmits lost packets. UDP (User Datagram Protocol) is connectionless: it sends data without establishing a session and provides no delivery guarantees. TCP is used when reliability matters (web browsing, email, file transfers), while UDP is used when speed matters more than perfection (DNS lookups, video streaming, VoIP, gaming). Both TCP and UDP use port numbers independently, meaning TCP port 53 and UDP port 53 are technically separate ports, though DNS uses both.

Why is port 443 more important than port 80?

Port 443 carries HTTPS traffic, which is encrypted with TLS/SSL. Port 80 carries plain HTTP, which transmits everything — including passwords, session tokens, and personal data — in readable plaintext. Modern browsers mark HTTP sites as “Not Secure,” search engines give ranking preference to HTTPS, and features like HTTP/2 and HTTP/3 require TLS. While port 80 still matters (most sites use it to redirect visitors to HTTPS), port 443 is where actual secure communication happens. In practice, you should always ensure port 443 is open and properly configured with a valid TLS certificate.

What port does SSH use?

SSH (Secure Shell) uses TCP port 22 by default. This single port handles remote shell access, SFTP file transfers, and SSH tunneling (port forwarding). Many administrators change the SSH port to a non-standard number (like 2222 or a random high port) to reduce automated brute-force login attempts, but this is security through obscurity rather than a real defense. The more effective protections are disabling password authentication in favor of SSH keys and using tools like fail2ban to block repeated failed login attempts.

Can I change the default port for a service?

Yes. Almost every network service allows you to configure which port it listens on. For example, you can run SSH on port 2222 instead of 22, or run a web server on port 9443 instead of 443. To do this, you modify the service’s configuration file (such as /etc/ssh/sshd_config for SSH or the listen directive in Nginx) and restart the service. Keep in mind that clients will need to specify the non-standard port when connecting, and you’ll need to update your firewall rules accordingly. Changing default ports can reduce automated scanning noise but should not be your primary security measure.

What are ephemeral ports?

Ephemeral ports (also called dynamic ports) are temporary port numbers assigned by the operating system for outbound connections. When your browser connects to a web server on port 443, your OS randomly assigns a high-numbered source port (typically from the range 49152–65535, though Linux often uses 32768–60999) to identify that specific connection. Once the connection closes, the ephemeral port is released back to the pool. You never need to configure ephemeral ports manually — the OS manages them automatically. They exist so that a single client can maintain many simultaneous connections to different servers (or even to the same server on the same port).

How do I know if a port is open on my server?

On Linux, run ss -tulnp to see all listening TCP and UDP ports along with the process that owns each one. On Windows, use netstat -an | findstr LISTENING or the PowerShell cmdlet Test-NetConnection -ComputerName localhost -Port 443. To check from an external perspective (what the internet can see), use nmap against your server’s public IP address or use our port reference tool. Remember that a port can be open locally but blocked by a firewall from external access — always test from the perspective that matters for your use case.

References

Secret Link