ops@toolbox:~$ portreference --run

Common Ports Reference

Searchable table of the network ports sysadmins actually meet, with notes.

PortServiceNotes
20/tcpFTP dataFile transfer, active mode data channel
21/tcpFTP controlFile transfer commands; plaintext, prefer SFTP
22/tcpSSH / SFTP / SCPSecure shell, file transfer, tunnels
23/tcpTelnetLegacy remote shell; plaintext, should be disabled
25/tcpSMTPServer-to-server mail delivery
53/tcp+udpDNSName resolution; TCP for large responses and zone transfers
67-68/udpDHCPAddress assignment (server 67, client 68)
69/udpTFTPTrivial FTP; PXE boot, network device firmware
80/tcpHTTPUnencrypted web traffic
110/tcpPOP3Legacy mail retrieval
123/udpNTPTime synchronisation
135/tcpMS RPCWindows RPC endpoint mapper
137-139NetBIOSLegacy Windows name service and sessions
143/tcpIMAPMail retrieval
161-162/udpSNMPMonitoring polls (161) and traps (162)
389/tcpLDAPDirectory services; plaintext or StartTLS
443/tcpHTTPSTLS web traffic; also HTTP/3 over 443/udp (QUIC)
445/tcpSMBWindows/Samba file sharing
465/tcpSMTPSMail submission over implicit TLS
514/udpSyslogLog forwarding (601/tcp and 6514/tls also common)
587/tcpSMTP submissionAuthenticated mail submission with StartTLS
636/tcpLDAPSLDAP over TLS
853/tcpDNS over TLSEncrypted DNS
873/tcprsyncrsync daemon mode
993/tcpIMAPSIMAP over TLS
995/tcpPOP3SPOP3 over TLS
1194/udpOpenVPNDefault OpenVPN port
1433/tcpMS SQL ServerMicrosoft SQL database
1521/tcpOracle DBOracle listener
2049/tcpNFSNetwork File System
2375-2376/tcpDocker APIUnencrypted (2375, never expose) and TLS (2376)
3000/tcpDev servers / GrafanaCommon web app dev port; Grafana default
3128/tcpSquid proxyHTTP proxy default
3306/tcpMySQL / MariaDBDatabase
3389/tcpRDPWindows Remote Desktop
4369/tcpEPMDErlang port mapper (RabbitMQ clustering)
5060-5061SIPVoIP signalling (5061 = TLS)
5432/tcpPostgreSQLDatabase
5601/tcpKibanaElastic dashboard
5672/tcpAMQP / RabbitMQMessage queue
5900/tcpVNCRemote desktop (display :0)
6379/tcpRedisIn-memory store; bind to localhost or firewall it
6443/tcpKubernetes APIkube-apiserver
8080/tcpHTTP altProxies, Tomcat, dev servers
8443/tcpHTTPS altAlternative TLS web port
9000/tcpSonarQube / PHP-FPMAlso MinIO console, Portainer edge
9090/tcpPrometheusMetrics server UI
9092/tcpKafkaBroker client port
9100/tcpnode_exporterPrometheus host metrics
9200/tcpElasticsearchREST API
10250/tcpkubeletKubernetes node agent API
11211/tcpMemcachedCache; never expose publicly
27017/tcpMongoDBDatabase

How to use this table

Type in the search box to filter instantly, by number (5432), by service (redis), or by keyword (mail). The list is deliberately curated to the ports that appear in real firewall rules, netstat output and security scans, rather than a dump of the full IANA registry.

Well-known, registered, ephemeral

Ports 0–1023 are the well-known range and require root (or CAP_NET_BIND_SERVICE) to bind on Unix, the reason your dev server defaults to 8080 rather than 80. Ports 1024–49151 are registered for specific applications by convention, and 49152–65535 are ephemeral, handed out to clients for the outbound side of connections. When ss -tlnp shows something listening on a high port, the ephemeral range is normal for established connections but suspicious for listeners.

A port open is a promise made

Every listening port is attack surface, and a handful of services in this table are involved in a disproportionate share of incidents when exposed publicly: Redis (6379) and Memcached (11211) historically shipped with no authentication, the plain Docker API (2375) is unauthenticated root on the host by design, and databases (3306, 5432, 27017) belong behind a firewall with application-only access. The rule of thumb: bind to 127.0.0.1 or a private interface unless the internet is genuinely the intended client, and even then put TLS and auth in front.

Checking what's actually open

From the host itself: ss -tulnp lists listeners with owning processes. From outside: nmap -sT host for TCP, adding -sU for UDP (slow but revealing). The delta between "what I think is open" and what nmap reports from an external network is one of the fastest security audits you can run, and only scan hosts you're authorised to test.

Related tools

Subnet Calculator
IPv4 CIDR calculator: network, broadcast, host range, mask and host count.
HTTP Status Codes
Searchable HTTP status code reference with debugging notes for each code.
IPv6 Calculator
Expand, compress and subnet IPv6 addresses: network, range and address count.
IP Range → CIDR Converter
Convert an IPv4 address range into the minimal list of CIDR blocks.