How to use this table
Type in the search box to filter instantly, by number (5432), by service (redis), or by keyword (mail). The list is deliberately curated to the ports that appear in real firewall rules, netstat output and security scans, rather than a dump of the full IANA registry.
Well-known, registered, ephemeral
Ports 0–1023 are the well-known range and require root (or CAP_NET_BIND_SERVICE) to bind on Unix, the reason your dev server defaults to 8080 rather than 80. Ports 1024–49151 are registered for specific applications by convention, and 49152–65535 are ephemeral, handed out to clients for the outbound side of connections. When ss -tlnp shows something listening on a high port, the ephemeral range is normal for established connections but suspicious for listeners.
A port open is a promise made
Every listening port is attack surface, and a handful of services in this table are involved in a disproportionate share of incidents when exposed publicly: Redis (6379) and Memcached (11211) historically shipped with no authentication, the plain Docker API (2375) is unauthenticated root on the host by design, and databases (3306, 5432, 27017) belong behind a firewall with application-only access. The rule of thumb: bind to 127.0.0.1 or a private interface unless the internet is genuinely the intended client, and even then put TLS and auth in front.
Checking what's actually open
From the host itself: ss -tulnp lists listeners with owning processes. From outside: nmap -sT host for TCP, adding -sU for UDP (slow but revealing). The delta between "what I think is open" and what nmap reports from an external network is one of the fastest security audits you can run, and only scan hosts you're authorised to test.