Common Port Numbers: Complete Reference for Developers
Every developer, DevOps engineer, and system administrator works with network ports daily. Firewall rules, Docker port mappings, security group configurations, connection strings - port numbers appear everywhere. This is your complete reference guide, from well known system ports through database ports to security considerations and firewall best practices.
What Are Port Numbers?
A port number is a 16-bit unsigned integer (0–65535) that identifies a specific process or network service on a host. When a server has multiple services running - a web server, a database, an SSH daemon - ports allow the operating system to route incoming traffic to the correct process.
Together, an IP address and a port number form a socket - the endpoint of a network connection. The combination of local IP, local port, remote IP, and remote port uniquely identifies every active TCP connection on a system.
Port Number Ranges
- 0–1023: Well Known Ports (System Ports) - Assigned by IANA. Require root/admin privileges to bind on Unix-like systems. HTTP, HTTPS, SSH, FTP, DNS, etc.
- 1024–49151: Registered Ports - Assigned by IANA for specific applications. Used by databases, middleware, and application servers.
- 49152–65535: Dynamic/Ephemeral Ports - Assigned automatically by the OS as source ports for outgoing connections.
Web and HTTP Ports
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 80 | HTTP | TCP | Unencrypted web traffic. Should redirect to 443 in production. |
| 443 | HTTPS | TCP/UDP | TLS-encrypted HTTP. Also used for HTTP/3 (QUIC) over UDP. |
| 8080 | HTTP Alt | TCP | Common for development servers, proxies, and Tomcat. Not privileged. |
| 8443 | HTTPS Alt | TCP | Alternative HTTPS for development. Used by Tomcat, Kubernetes dashboards. |
| 3000 | Node.js / Dev | TCP | Default for React dev server, Express, Next.js. |
| 4200 | Angular Dev | TCP | Default port for Angular CLI dev server. |
| 5173 | Vite Dev | TCP | Default port for Vite development server. |
Remote Access and File Transfer
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 22 | SSH / SFTP / SCP | TCP | Secure Shell. Also tunnels SFTP and SCP. Target of brute force attacks - restrict to known IPs. |
| 21 | FTP Control | TCP | Unencrypted. Use SFTP (22) or FTPS (990) instead. |
| 20 | FTP Data | TCP | FTP active mode data transfer. Rarely used today. |
| 990 | FTPS | TCP | FTP over TLS (implicit). Preferred over plain FTP. |
| 3389 | RDP | TCP | Windows Remote Desktop. High-value attack target - never expose to the internet without VPN. |
| 5900 | VNC | TCP | Virtual Network Computing. Unencrypted - always tunnel over SSH. |
Database Ports
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 3306 | MySQL / MariaDB | TCP | Never expose to internet. Bind to 127.0.0.1 or use VPC/security groups. |
| 5432 | PostgreSQL | TCP | Default port. Binds to localhost by default. Use TLS for remote connections. |
| 1433 | Microsoft SQL Server | TCP | Heavily scanned by attackers. Restrict to internal network only. |
| 1521 | Oracle DB | TCP | Oracle Database listener port. |
| 27017 | MongoDB | TCP | Default port. Many breaches from internet-exposed instances without auth. |
| 6379 | Redis | TCP | No authentication by default in older versions. Never expose to internet. |
| 11211 | Memcached | TCP/UDP | Infamous for amplification DDoS attacks via UDP. Block UDP externally. |
| 9200 | Elasticsearch HTTP | TCP | Exposed instances have caused major data breaches. Always behind auth/VPC. |
| 5984 | CouchDB | TCP | CouchDB HTTP API. Admin interface accessible on same port. |
Look Up Any Port Number Instantly
Our free Port Lookup tool covers 10,000+ TCP and UDP port assignments. Enter any port number or service name to see the official IANA assignment, protocol, and common use cases.
Open Port LookupEmail Ports
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 25 | SMTP | TCP | Server-to-server email relay. ISPs block outbound 25 to prevent spam. Not for client submission. |
| 587 | SMTP Submission | TCP | Authenticated email submission from clients. Use with STARTTLS. The correct port for sending email from your app. |
| 465 | SMTPS | TCP | SMTP over implicit TLS. Deprecated, then un-deprecated. Supported by most mail services alongside 587. |
| 110 | POP3 | TCP | Post Office Protocol v3. Downloads email to local client. Largely replaced by IMAP. |
| 995 | POP3S | TCP | POP3 over TLS. |
| 143 | IMAP | TCP | Internet Message Access Protocol. Keeps email on server, syncs across devices. |
| 993 | IMAPS | TCP | IMAP over TLS. Always use this instead of plain 143. |
Infrastructure and Network Services
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 53 | DNS | TCP/UDP | UDP for queries (<512 bytes), TCP for zone transfers and large responses. DNS over HTTPS uses 443. |
| 67/68 | DHCP | UDP | 67 (server), 68 (client). Dynamic IP address assignment. |
| 123 | NTP | UDP | Network Time Protocol. Critical for TLS cert validation, JWT expiry, TOTP codes. |
| 161/162 | SNMP | UDP | 161 (queries), 162 (traps). Network device monitoring. SNMPv1/v2 are insecure - use SNMPv3. |
| 514 | Syslog | UDP | System logging over network. No authentication - use TLS syslog (6514) for sensitive environments. |
| 389 | LDAP | TCP | Lightweight Directory Access Protocol. Use LDAPS (636) for encrypted connections. |
| 636 | LDAPS | TCP | LDAP over TLS. Required for production Active Directory / OpenLDAP. |
| 88 | Kerberos | TCP/UDP | Authentication protocol used by Active Directory and Hadoop. |
Container and Orchestration Ports
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 2375 | Docker daemon (HTTP) | TCP | Unencrypted Docker API. Exposing this to the internet = full server compromise. Never expose. |
| 2376 | Docker daemon (TLS) | TCP | TLS-encrypted Docker daemon. Requires mutual TLS authentication. |
| 6443 | Kubernetes API | TCP | Kubernetes API server (HTTPS). Accessible via kubectl. |
| 10250 | Kubelet API | TCP | Node-level Kubelet API. Should be restricted to control plane IPs only. |
| 2379/2380 | etcd | TCP | Kubernetes key-value store. 2379 (client), 2380 (peer). Critical to protect - contains all cluster secrets. |
| 9090 | Prometheus | TCP | Default Prometheus metrics server port. |
| 3000 | Grafana | TCP | Default Grafana dashboard port. Change default admin password immediately. |
Firewall Rules: What to Block and What to Expose
As a general security principle, your firewall should block everything by default and only allow what is explicitly needed. Here are the standard rules for a web server:
# UFW rules for a typical web server
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow web traffic
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
# Allow SSH from specific IP only
sudo ufw allow from 10.0.0.0/8 to any port 22 comment 'SSH internal'
# Allow database from app servers only
sudo ufw allow from 10.10.0.0/16 to any port 5432 comment 'PostgreSQL app tier'
sudo ufw enablePorts to Always Block from the Internet
- 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB), 6379 (Redis) - Database ports should never be internet-accessible. Use a bastion host or VPN for remote database access.
- 2375 (Docker unencrypted) - Gives full root access to the server. Accounts for thousands of container escapes and cryptominer infections annually.
- 23 (Telnet), 21 (FTP) - Transmit credentials in plaintext. Use SSH and SFTP instead.
- 161 UDP (SNMP) - SNMPv1/v2 communities act as passwords but are often "public" or "private". Block externally and use SNMPv3 with authentication.
- 9200 (Elasticsearch), 8500 (Consul), 4001 (etcd) - Infrastructure APIs with no authentication by default. Block all external access.
Checking Open Ports on Your Server
# List all listening ports and their processes
sudo ss -tlnp # TCP listening (modern, preferred)
sudo netstat -tlnp # TCP listening (legacy, still common)
# Check if a specific port is open
sudo ss -tlnp | grep ':3306'
# Scan open ports from outside (run from another machine)
nmap -sV -p 80,443,22,3306 your-server-ip
# Check if a remote port is reachable
nc -zv database.example.com 5432
# or
telnet database.example.com 5432Run
sudo nmap -sV your-server-ipfrom an external machine periodically to verify what is actually visible to the internet. Your firewall rules may allow less than you think - or more.
FAQ
What is the difference between TCP and UDP ports?
TCP (Transmission Control Protocol) is connection-oriented: it establishes a reliable, ordered connection before sending data and guarantees delivery. UDP (User Datagram Protocol) is connectionless: it sends packets without establishing a connection, without guaranteed delivery or ordering. TCP is used for applications where reliability matters (HTTP, SSH, databases). UDP is used where speed matters more than reliability (DNS, NTP, video streaming, gaming).
Why do I need root privileges to bind to port 80 or 443?
On Linux, ports below 1024 are "privileged" and require root to bind, as a security measure. This prevents unprivileged processes from impersonating system services. The modern solution is to run your web server on a high port (e.g., 3000 or 8080) and use a reverse proxy (Nginx) running as root to forward from 80/443. Alternatively, use setcap or authbind to grant specific port binding without full root access.
How do I change my SSH port to something other than 22?
Edit /etc/ssh/sshd_config and change or add Port 2222 (or any unused port above 1024). Restart sshd: sudo systemctl restart sshd. Update your firewall to allow the new port. This does not improve security meaningfully against targeted attacks but does reduce noise from automated port-22 scanners. Always ensure the new port works in a test session before closing your existing connection.
What ports does Docker expose by default?
Docker containers do not expose any ports by default. You explicitly map ports using -p host_port:container_port when running a container. The Docker daemon itself listens on a Unix socket (/var/run/docker.sock) by default, not a TCP port. TCP port 2375/2376 must be explicitly enabled - only do so if you need remote API access, and always use TLS (2376) with mutual certificate authentication.
How do I find what process is using a specific port?
# Find the process using port 3000
sudo lsof -i :3000
# or
sudo ss -tlnp | grep ':3000'
# or (Linux)
sudo fuser 3000/tcpThese commands show the PID and process name. On macOS, lsof -i :3000 works without sudo for your own processes.
Use our free tool here → Port Lookup - instantly search any port number or service name for the official IANA assignment, protocol type, and usage notes.
Usman has 10+ years of experience securing enterprise infrastructure, managing high-traffic servers, and building zero-knowledge security tools. Read more about the author.