Open Port Reference & Local Probe
A working reference of TCP ports sysadmins encounter — what's supposed to be there, what's a known risk if it shows up open by accident, and what to do about it. Pair it with the local probe below: it'll quick-scan a handful of these ports on yourmachine and tell you which are open right now. The probe runs against your own IP only — there's no way to point it at someone else.
Local Probe
Quick-scan ~25 high-signal ports on your own IP via the relay (127.0.0.1:3030’s outbound). The relay will only ever dial youraddress — there's no input for a different target, by design.
Port Reference
130 of 130ports shown. Risk is opinion, not fact — it's the usual posture, not what's necessarily wrong on your network.
| Port | Protocol | Service | Risk | Notes |
|---|---|---|---|---|
| 80 | tcp | HTTP | Info | Unencrypted web. Redirect to HTTPS in production. |
| 443 | tcp | HTTPS | Info | TLS-encrypted web. The expected public port. |
| 8080 | tcp | HTTP-Alt | Low | Common dev/alt-web port (Tomcat, Jenkins, dev servers). |
| 8443 | tcp | HTTPS-Alt | Low | Alt HTTPS port for admin UIs (Jenkins, unifi). |
| 8000 | tcp | HTTP-Alt | Low | Django, Flask, Node dev server defaults. |
| 8888 | tcp | HTTP-Alt | High | Jupyter Notebook default. Public exposure is a known breach vector. |
| 3000 | tcp | Node dev | Medium | create-next-app default. Should never be public. |
| 5000 | tcp | Flask dev | Medium | Flask development server default. Public exposure = RCE if debug on. |
| 9090 | tcp | Prometheus | High | Prometheus metrics endpoint. No auth by default; expose internally only. |
| 9091 | tcp | Transmission | High | Transmission BitTorrent daemon web UI. Often unauthenticated. |
| 5601 | tcp | Kibana | High | Kibana dashboard. Often exposed without auth. |
| 9200 | tcp | Elasticsearch | Critical | Elasticsearch HTTP API. No auth by default in pre-7.x versions. |
| 22 | tcp | SSH | Info | Secure shell. Move off 22 to reduce scanner noise; key-only auth strongly recommended. |
| 2222 | tcp | SSH-Alt | Info | Common alt for SSH (Docker, dropbear, hosters that block 22). |
| 23 | tcp | Telnet | Critical | Unencrypted remote shell. Should never be on the public internet. Massive brute-force target. |
| 3389 | tcp | RDP | Critical | Windows Remote Desktop. Top ransomware vector; close or VPN-gate it. |
| 5900 | tcp | VNC | Critical | Virtual Network Computing desktop. Often password-only — strong brute-force target. |
| 5901 | tcp | VNC:1 | Critical | VNC display :1. See 5900. |
| 25 | tcp | SMTP | Low | Outbound mail submission. Most residential ISPs block outbound 25. |
| 465 | tcp | SMTPS | Info | SMTP over TLS (legacy 'SMTPS' wrap). Submission with implicit TLS. |
| 587 | tcp | Submission | Info | Mail submission (MSA). The right port for outbound mail from apps. |
| 110 | tcp | POP3 | Medium | POP3 mail retrieval. Unencrypted passwords on the wire by default. |
| 995 | tcp | POP3S | Info | POP3 over TLS. Use this instead of 110. |
| 143 | tcp | IMAP | Medium | IMAP mail retrieval. Unencrypted by default. |
| 993 | tcp | IMAPS | Info | IMAP over TLS. Use this instead of 143. |
| 53 | both | DNS | Medium | DNS (UDP small queries, TCP zone transfers + large). TCP/53 open to the world = cache-poisoning target. |
| 3306 | tcp | MySQL | Critical | MySQL/MariaDB. Public exposure = constant brute-force. |
| 5432 | tcp | PostgreSQL | Critical | PostgreSQL. Public exposure = constant brute-force. |
| 1433 | tcp | MSSQL | Critical | Microsoft SQL Server. Brute-force target; should be internal-only. |
| 1521 | tcp | Oracle DB | Critical | Oracle Database TNS listener. CVE-rich history. |
| 27017 | tcp | MongoDB | Critical | MongoDB. Pre-auth RCE via 2017's "MongoDB Apocalypse" wiped thousands of exposed instances. |
| 6379 | tcp | Redis | Critical | Redis. No auth by default historically; RCE if exposed. |
| 11211 | both | Memcached | Critical | Memcached. UDP reflection amplifier (DDoS abuse). Patch or firewall. |
| 5984 | tcp | CouchDB | High | CouchDB HTTP API. Often admin-less on first install. |
| 8529 | tcp | ArangoDB | High | ArangoDB. Internal-only by default. |
| 9200 | tcp | Elasticsearch | Critical | See Elasticsearch entry under Web. |
| 21 | tcp | FTP | High | FTP. Unencrypted credentials and data — use SFTP (SSH) instead. |
| 22 | tcp | SFTP | Info | SFTP rides on SSH (port 22). The right answer for file transfer. |
| 990 | tcp | FTPS | Low | FTP over TLS. Less common than SFTP. |
| 69 | udp | TFTP | Critical | Trivial FTP. No auth, ever. IoT firmware-update vector. |
| 2049 | both | NFS | High | Network File System. UID-based trust — dangerous across the internet. |
| 445 | tcp | SMB | Critical | Server Message Block (Windows file sharing). EternalBlue (CVE-2017-0144) — never public. |
| 139 | tcp | NetBIOS | Critical | NetBIOS session. Legacy Windows sharing. Should not be exposed. |
| 137 | udp | NetBIOS-NS | Medium | NetBIOS name service. Information disclosure (hostnames, users). |
| 138 | udp | NetBIOS-DGM | Medium | NetBIOS datagram. See 137. |
| 81 | tcp | HTTP-Alt | Medium | Alt HTTP. Hosts config panel (e.g. Mikrotik). |
| 82 | tcp | HTTP-Alt | Medium | Alt HTTP. |
| 83 | tcp | HTTP-Alt | Medium | Alt HTTP. |
| 3001 | tcp | Node Alt | Low | Common Node/Grafana alt port. |
| 3333 | tcp | Node Alt | Medium | create-react-app / Express dev default. Dev only. |
| 4000 | tcp | Rails/Deno | Low | Rails dev / Deno default. Dev only. |
| 4200 | tcp | Angular dev | Low | Angular CLI dev server. Dev only. |
| 5173 | tcp | Vite dev | Low | Vite dev server. Dev only. |
| 8008 | tcp | HTTP-Alt | Low | Various alt (Gitea default uses this). |
| 8081 | tcp | HTTP-Alt | Low | Cockpit web UI, various dev tools. |
| 8082 | tcp | HTTP-Alt | Low | Various alt. |
| 8083 | tcp | HTTP-Alt | Low | Various alt. |
| 8086 | tcp | InfluxDB | High | InfluxDB v1 API. Default has no auth. |
| 8088 | tcp | HTTP-Alt | Low | Various (Home Assistant alt). |
| 8090 | tcp | HTTP-Alt | Low | Various (Confluence, Home Assistant). |
| 8983 | tcp | Solr | High | Apache Solr admin. Common target for RCE chains. |
| 5672 | tcp | AMQP | Medium | RabbitMQ AMQP. Internal-only by default. |
| 15672 | tcp | RabbitMQ Mgmt | High | RabbitMQ management UI. Often guest/guest on default install. |
| 6379 | tcp | Redis | Critical | See Redis under databases. |
| 9092 | tcp | Kafka | Medium | Apache Kafka broker. Internal-only. |
| 2181 | tcp | ZooKeeper | Critical | Apache ZooKeeper. No auth by default — never public. |
| 4226 | tcp | NATS | High | NATS messaging. No auth on default. |
| 2375 | tcp | Docker API | Critical | Docker daemon (unauthenticated). RCE-as-a-service if public. |
| 2376 | tcp | Docker TLS | Medium | Docker daemon with TLS. Better, but check the cert. |
| 6443 | tcp | Kube API | Critical | Kubernetes API server. Public = full cluster takeover. |
| 10250 | tcp | Kubelet | Critical | Kubelet API. Anonymous-auth-by-default on old clusters (CVE-2018-1002100). |
| 10255 | tcp | Kubelet RO | Critical | Kubelet read-only. Anonymous metrics endpoint. |
| 8080 | tcp | Jenkins | High | Jenkins default. Often unauthenticated; Groovy RCE history. |
| 9418 | tcp | Git | Medium | Git daemon (anonymous read). Use authenticated fetch instead. |
| 5000 | tcp | Docker Reg | High | Docker registry v2 (unauthenticated). Source of supply-chain attacks. |
| 8200 | tcp | Vault | Medium | HashiCorp Vault HTTP API. |
| 8500 | tcp | Consul | High | HashiCorp Consul HTTP. ACL-token required but frequently misconfigured. |
| 8600 | both | Consul DNS | Medium | Consul DNS. |
| 161 | udp | SNMP | Critical | SNMP. Default community string "public" exposes everything. |
| 162 | udp | SNMP-Trap | Medium | SNMP trap receiver. |
| 199 | tcp | SNMP-SMux | Low | SNMP multiplexing. Rarely seen; legacy. |
| 514 | udp | Syslog | Medium | Syslog (UDP). Plaintext logs — fine internally, risky over WAN. |
| 601 | tcp | Syslog-TLS | Info | Syslog over TLS (RFC 5425). Use this for cross-WAN syslog. |
| 6514 | tcp | Syslog-TLS | Info | IETF syslog over TLS. Standard port. |
| 389 | tcp | LDAP | High | LDAP (unencrypted). Cross-WAN exposure leaks directory structure. |
| 636 | tcp | LDAPS | Info | LDAP over TLS. Use this instead of 389. |
| 3268 | tcp | LDAP GC | High | Global Catalog (Active Directory). Internal-only. |
| 3269 | tcp | LDAPS GC | Info | Global Catalog over TLS. |
| 88 | both | Kerberos | High | Kerberos. Internal-only; DC exposure = full AD compromise. |
| 464 | both | Kerberos-Set | High | Kerberos password-change protocol. |
| 123 | udp | NTP | Medium | Network Time Protocol. Old NTPd versions = NTP amplification DDoS. |
| 161 | udp | SNMP | Critical | See SNMP above. |
| 179 | tcp | BGP | Critical | BGP. Almost never legitimate on a public port; ISP/peering only. |
| 520 | udp | RIP | High | RIP routing. Legacy, almost always internal. |
| 521 | udp | RIPng | High | RIPng (IPv6). |
| 3546 | udp | L2TP | Medium | L2TP. Often paired with IPsec. |
| 1701 | udp | L2TP | Medium | L2TP (UDP). |
| 500 | udp | IKE | High | IKEv1 (IPsec). Should not be exposed to the world. |
| 4500 | udp | IKE-NAT | High | IPsec NAT traversal. Internal/edge only. |
| 1194 | udp | OpenVPN | Low | OpenVPN default. |
| 443 | tcp | WireGuard (often) | Info | WireGuard doesn't have an official port; commonly run on 443 to bypass firewalls. |
| 51820 | udp | WireGuard | Low | WireGuard default (informal). |
| 1080 | tcp | SOCKS | High | SOCKS proxy. Misconfigured = open relay. |
| 3128 | tcp | Squid | High | Squid HTTP proxy. Default configs often allow LAN-only; misconfiguration = open relay. |
| 8080 | tcp | Squid Alt | Medium | Common Squid alt port. |
| 3074 | both | Xbox Live | Info | Xbox Live / PSN networking. |
| 3478 | both | PSN/STUN | Info | PlayStation Network / STUN. |
| 3479 | both | PSN | Info | PlayStation Network. |
| 3724 | tcp | WoW | Info | World of Warcraft. |
| 6112 | both | Battle.net | Info | Battle.net gaming. |
| 27015 | both | Steam | Info | Steam game traffic. Also Source-engine dedicated server default. |
| 25565 | tcp | Minecraft | Info | Minecraft default. |
| 25575 | tcp | Minecraft RCON | High | Minecraft RCON. Should not be public (RCE history). |
| 80 | tcp | Webcam | High | Most cheap webcams serve HTTP/80 for config. Often default-creds. |
| 554 | tcp | RTSP | High | Real-Time Streaming Protocol. Webcam/streaming default; unauth by default often. |
| 8080 | tcp | Webcam Alt | High | Common webcam alt. |
| 9100 | tcp | RAW Print | High | JetDirect-style raw printing. PJL commands = RCE on older printers (CVE-2021-34527 PrintNightmare-adjacent). |
| 515 | tcp | LPD | Medium | Line Printer Daemon (legacy). |
| 631 | tcp | IPP | Medium | Internet Printing Protocol (CUPS). External exposure rare but PPD-injection RCE (2024) showed up. |
| 5060 | both | SIP | High | Session Initiation Protocol (VoIP). UDP reflection amplifier. |
| 5061 | tcp | SIPS | Low | SIP over TLS. |
| 69 | udp | TFTP | Critical | Trivial FTP — no auth, ever. See /tftp entry. |
| 111 | both | RPCBind | High | RPCBind / portmapper. Information disclosure + DDoS amplifier. |
| 135 | tcp | MS-RPC | High | Microsoft RPC endpoint mapper. Internal-only. |
| 119 | tcp | NNTP | Info | Usenet news. |
| 1812 | udp | RADIUS | Medium | RADIUS auth. |
| 1813 | udp | RADIUS Acct | Medium | RADIUS accounting. |
| 5000 | tcp | UPnP | High | UPnP eventing (often uses 5000). Old UPnP implementations = RCE. |
| 1900 | udp | UPnP SSDP | High | SSDP. DDoS amplification vector — see 2018 US-CERT advisory. |
| 5353 | udp | mDNS | Low | Multicast DNS. Internal only by design (mDNS isn't routable but watch for LLMNR-style abuse). |
Related reading
- How to read an open port (and when to actually worry)An 'open port' isn't a vulnerability by itself — it's information. Here's how to tell whether a port being open is fine, suspicious, or actively dangerous, and what to do about each case.
- How to check DNS propagation (and how long it actually takes)Just changed an A record and your friend in another country still sees the old site? That's DNS propagation. Here's how to verify when it's actually done — and how long it can take.
- How to do a DNS lookup (and why you'd want to)DNS lookups are the first step in almost every network troubleshooting flow. Here's how they work, the record types that matter, and how to run them from your browser.