sysadmintools

Open Port Reference & Local Probe

A working reference of TCP ports sysadmins encounter — what's supposed to be there, what's a known risk if it shows up open by accident, and what to do about it. Pair it with the local probe below: it'll quick-scan a handful of these ports on yourmachine and tell you which are open right now. The probe runs against your own IP only — there's no way to point it at someone else.

Local Probe

Quick-scan ~25 high-signal ports on your own IP via the relay (127.0.0.1:3030’s outbound). The relay will only ever dial youraddress — there's no input for a different target, by design.

Port Reference

130 of 130ports shown. Risk is opinion, not fact — it's the usual posture, not what's necessarily wrong on your network.

PortProtocolServiceRiskNotes
80tcpHTTPInfoUnencrypted web. Redirect to HTTPS in production.
443tcpHTTPSInfoTLS-encrypted web. The expected public port.
8080tcpHTTP-AltLowCommon dev/alt-web port (Tomcat, Jenkins, dev servers).
8443tcpHTTPS-AltLowAlt HTTPS port for admin UIs (Jenkins, unifi).
8000tcpHTTP-AltLowDjango, Flask, Node dev server defaults.
8888tcpHTTP-AltHighJupyter Notebook default. Public exposure is a known breach vector.
3000tcpNode devMediumcreate-next-app default. Should never be public.
5000tcpFlask devMediumFlask development server default. Public exposure = RCE if debug on.
9090tcpPrometheusHighPrometheus metrics endpoint. No auth by default; expose internally only.
9091tcpTransmissionHighTransmission BitTorrent daemon web UI. Often unauthenticated.
5601tcpKibanaHighKibana dashboard. Often exposed without auth.
9200tcpElasticsearchCriticalElasticsearch HTTP API. No auth by default in pre-7.x versions.
22tcpSSHInfoSecure shell. Move off 22 to reduce scanner noise; key-only auth strongly recommended.
2222tcpSSH-AltInfoCommon alt for SSH (Docker, dropbear, hosters that block 22).
23tcpTelnetCriticalUnencrypted remote shell. Should never be on the public internet. Massive brute-force target.
3389tcpRDPCriticalWindows Remote Desktop. Top ransomware vector; close or VPN-gate it.
5900tcpVNCCriticalVirtual Network Computing desktop. Often password-only — strong brute-force target.
5901tcpVNC:1CriticalVNC display :1. See 5900.
25tcpSMTPLowOutbound mail submission. Most residential ISPs block outbound 25.
465tcpSMTPSInfoSMTP over TLS (legacy 'SMTPS' wrap). Submission with implicit TLS.
587tcpSubmissionInfoMail submission (MSA). The right port for outbound mail from apps.
110tcpPOP3MediumPOP3 mail retrieval. Unencrypted passwords on the wire by default.
995tcpPOP3SInfoPOP3 over TLS. Use this instead of 110.
143tcpIMAPMediumIMAP mail retrieval. Unencrypted by default.
993tcpIMAPSInfoIMAP over TLS. Use this instead of 143.
53bothDNSMediumDNS (UDP small queries, TCP zone transfers + large). TCP/53 open to the world = cache-poisoning target.
3306tcpMySQLCriticalMySQL/MariaDB. Public exposure = constant brute-force.
5432tcpPostgreSQLCriticalPostgreSQL. Public exposure = constant brute-force.
1433tcpMSSQLCriticalMicrosoft SQL Server. Brute-force target; should be internal-only.
1521tcpOracle DBCriticalOracle Database TNS listener. CVE-rich history.
27017tcpMongoDBCriticalMongoDB. Pre-auth RCE via 2017's "MongoDB Apocalypse" wiped thousands of exposed instances.
6379tcpRedisCriticalRedis. No auth by default historically; RCE if exposed.
11211bothMemcachedCriticalMemcached. UDP reflection amplifier (DDoS abuse). Patch or firewall.
5984tcpCouchDBHighCouchDB HTTP API. Often admin-less on first install.
8529tcpArangoDBHighArangoDB. Internal-only by default.
9200tcpElasticsearchCriticalSee Elasticsearch entry under Web.
21tcpFTPHighFTP. Unencrypted credentials and data — use SFTP (SSH) instead.
22tcpSFTPInfoSFTP rides on SSH (port 22). The right answer for file transfer.
990tcpFTPSLowFTP over TLS. Less common than SFTP.
69udpTFTPCriticalTrivial FTP. No auth, ever. IoT firmware-update vector.
2049bothNFSHighNetwork File System. UID-based trust — dangerous across the internet.
445tcpSMBCriticalServer Message Block (Windows file sharing). EternalBlue (CVE-2017-0144) — never public.
139tcpNetBIOSCriticalNetBIOS session. Legacy Windows sharing. Should not be exposed.
137udpNetBIOS-NSMediumNetBIOS name service. Information disclosure (hostnames, users).
138udpNetBIOS-DGMMediumNetBIOS datagram. See 137.
81tcpHTTP-AltMediumAlt HTTP. Hosts config panel (e.g. Mikrotik).
82tcpHTTP-AltMediumAlt HTTP.
83tcpHTTP-AltMediumAlt HTTP.
3001tcpNode AltLowCommon Node/Grafana alt port.
3333tcpNode AltMediumcreate-react-app / Express dev default. Dev only.
4000tcpRails/DenoLowRails dev / Deno default. Dev only.
4200tcpAngular devLowAngular CLI dev server. Dev only.
5173tcpVite devLowVite dev server. Dev only.
8008tcpHTTP-AltLowVarious alt (Gitea default uses this).
8081tcpHTTP-AltLowCockpit web UI, various dev tools.
8082tcpHTTP-AltLowVarious alt.
8083tcpHTTP-AltLowVarious alt.
8086tcpInfluxDBHighInfluxDB v1 API. Default has no auth.
8088tcpHTTP-AltLowVarious (Home Assistant alt).
8090tcpHTTP-AltLowVarious (Confluence, Home Assistant).
8983tcpSolrHighApache Solr admin. Common target for RCE chains.
5672tcpAMQPMediumRabbitMQ AMQP. Internal-only by default.
15672tcpRabbitMQ MgmtHighRabbitMQ management UI. Often guest/guest on default install.
6379tcpRedisCriticalSee Redis under databases.
9092tcpKafkaMediumApache Kafka broker. Internal-only.
2181tcpZooKeeperCriticalApache ZooKeeper. No auth by default — never public.
4226tcpNATSHighNATS messaging. No auth on default.
2375tcpDocker APICriticalDocker daemon (unauthenticated). RCE-as-a-service if public.
2376tcpDocker TLSMediumDocker daemon with TLS. Better, but check the cert.
6443tcpKube APICriticalKubernetes API server. Public = full cluster takeover.
10250tcpKubeletCriticalKubelet API. Anonymous-auth-by-default on old clusters (CVE-2018-1002100).
10255tcpKubelet ROCriticalKubelet read-only. Anonymous metrics endpoint.
8080tcpJenkinsHighJenkins default. Often unauthenticated; Groovy RCE history.
9418tcpGitMediumGit daemon (anonymous read). Use authenticated fetch instead.
5000tcpDocker RegHighDocker registry v2 (unauthenticated). Source of supply-chain attacks.
8200tcpVaultMediumHashiCorp Vault HTTP API.
8500tcpConsulHighHashiCorp Consul HTTP. ACL-token required but frequently misconfigured.
8600bothConsul DNSMediumConsul DNS.
161udpSNMPCriticalSNMP. Default community string "public" exposes everything.
162udpSNMP-TrapMediumSNMP trap receiver.
199tcpSNMP-SMuxLowSNMP multiplexing. Rarely seen; legacy.
514udpSyslogMediumSyslog (UDP). Plaintext logs — fine internally, risky over WAN.
601tcpSyslog-TLSInfoSyslog over TLS (RFC 5425). Use this for cross-WAN syslog.
6514tcpSyslog-TLSInfoIETF syslog over TLS. Standard port.
389tcpLDAPHighLDAP (unencrypted). Cross-WAN exposure leaks directory structure.
636tcpLDAPSInfoLDAP over TLS. Use this instead of 389.
3268tcpLDAP GCHighGlobal Catalog (Active Directory). Internal-only.
3269tcpLDAPS GCInfoGlobal Catalog over TLS.
88bothKerberosHighKerberos. Internal-only; DC exposure = full AD compromise.
464bothKerberos-SetHighKerberos password-change protocol.
123udpNTPMediumNetwork Time Protocol. Old NTPd versions = NTP amplification DDoS.
161udpSNMPCriticalSee SNMP above.
179tcpBGPCriticalBGP. Almost never legitimate on a public port; ISP/peering only.
520udpRIPHighRIP routing. Legacy, almost always internal.
521udpRIPngHighRIPng (IPv6).
3546udpL2TPMediumL2TP. Often paired with IPsec.
1701udpL2TPMediumL2TP (UDP).
500udpIKEHighIKEv1 (IPsec). Should not be exposed to the world.
4500udpIKE-NATHighIPsec NAT traversal. Internal/edge only.
1194udpOpenVPNLowOpenVPN default.
443tcpWireGuard (often)InfoWireGuard doesn't have an official port; commonly run on 443 to bypass firewalls.
51820udpWireGuardLowWireGuard default (informal).
1080tcpSOCKSHighSOCKS proxy. Misconfigured = open relay.
3128tcpSquidHighSquid HTTP proxy. Default configs often allow LAN-only; misconfiguration = open relay.
8080tcpSquid AltMediumCommon Squid alt port.
3074bothXbox LiveInfoXbox Live / PSN networking.
3478bothPSN/STUNInfoPlayStation Network / STUN.
3479bothPSNInfoPlayStation Network.
3724tcpWoWInfoWorld of Warcraft.
6112bothBattle.netInfoBattle.net gaming.
27015bothSteamInfoSteam game traffic. Also Source-engine dedicated server default.
25565tcpMinecraftInfoMinecraft default.
25575tcpMinecraft RCONHighMinecraft RCON. Should not be public (RCE history).
80tcpWebcamHighMost cheap webcams serve HTTP/80 for config. Often default-creds.
554tcpRTSPHighReal-Time Streaming Protocol. Webcam/streaming default; unauth by default often.
8080tcpWebcam AltHighCommon webcam alt.
9100tcpRAW PrintHighJetDirect-style raw printing. PJL commands = RCE on older printers (CVE-2021-34527 PrintNightmare-adjacent).
515tcpLPDMediumLine Printer Daemon (legacy).
631tcpIPPMediumInternet Printing Protocol (CUPS). External exposure rare but PPD-injection RCE (2024) showed up.
5060bothSIPHighSession Initiation Protocol (VoIP). UDP reflection amplifier.
5061tcpSIPSLowSIP over TLS.
69udpTFTPCriticalTrivial FTP — no auth, ever. See /tftp entry.
111bothRPCBindHighRPCBind / portmapper. Information disclosure + DDoS amplifier.
135tcpMS-RPCHighMicrosoft RPC endpoint mapper. Internal-only.
119tcpNNTPInfoUsenet news.
1812udpRADIUSMediumRADIUS auth.
1813udpRADIUS AcctMediumRADIUS accounting.
5000tcpUPnPHighUPnP eventing (often uses 5000). Old UPnP implementations = RCE.
1900udpUPnP SSDPHighSSDP. DDoS amplification vector — see 2018 US-CERT advisory.
5353udpmDNSLowMulticast DNS. Internal only by design (mDNS isn't routable but watch for LLMNR-style abuse).

Related reading