Below is a short description of some various TCP/UDP ports in use on the internet. This information can be very useful during the configuration of a firewall. This description is in no way complete. At first, I wanted to make a complete list of ports that I had been attacked on, but that job has proven to be too tedious, so now this page only contains the most important ports. A complete list of ports and their use can be found at Neohapsis.
Whenever I write that a port should be "closed", what I really mean is that it should be "hidden" (stealthed) completely from the internet. A port appearing not even to exist is far better than a port simply refusing to accept connections. This is due to various reasons, that will not be covered here. Just remember, if you have a client PC, it should in theory be completely hidden from other machines on the internet, except when YOU want to connect to something. If you have a server, only ports pertaining to the services the server provide, should be visible to the internet. This also goes for ports that you don't use! Otherwise, you may be vulnerable to attacks by "trojans", who creates a backdoor into your system through an unused port.
20
FTP data link.
This port it probably the toughest one to configure, so I have assigned a
separate page on FTP configuration in a firewall.
See also port 21.
21
FTP.
This port should only be open, if you have a FTP server installed.
See also port 20.
23
Telnet
Should only be open, if you have a telnet server installed, and you are sure
your security is fine.
25
SMTP.
Should only be open, if you have a mail server installed.
This port is used to deliver mail.
Be carefull, that the mail server is not configured as an open relay, this is
how most of the spam on the internet gets around!
Don't be a part of it!
Your mail server should only forward mails coming from YOU.
See also port 110 and 143.
53
DNS. Used for domain name resolving.
You should allow your applications to do outbound UDP and TCP traffic to port
53 and inbound UDP traffic from port 53, or they will not be able to find
anything on the internet.
However, unless you have a registered DNS server (and you probably don't!),
there is no reason to allow inbound traffic to port 53, neither UDP or TCP.
Don't let everybody use YOUR DNS server, if you have one at all.
Note that both UDP and TCP outbound to port 53 should be allowed.
If an application wants to resolve something, it sends UDP packets to the
DNS servers configured in the TCP/IP protocol (probably just your ISP's name
servers).
If the response is larger than 512 bytes, which is what fits in a UDP packet,
it will try again using TCP.
Note that a reply from a UDP port 53 may arrive so late, that the originating
port is closed in the meantime.
This may cause the firewall to complain about such a reply.
A way around it is to simply allow all UDP packets from port 53 to any
application, even if the port is not currently open.
If you don't like that, you can also disallow all UDP packets from port 53,
but then you have to make sure your firewall is configured to allow such
packets to applications that actually need them, BEFORE it applies the
disallow rule.
See also how to set up a firewall for a DNS server
79
Finger.
Should only be open, if you have a finger server installed.
This protocol is not used much anymore.
80
HTTP.
Should only be open, if you have a web server installed.
Note, that some versions of windows and other programs may
automatically install a web server, so this is obviously an easy point
of attack, especially since IIS is such a buggy product.
Make sure to disable access to this port from the internet - except on your
web server, of course.
See also port 443.
110
POP3.
Should only be open, if you have a mail server installed.
This port is used to fetch mail from a mail server.
If you do indeed have a mail server installed, you should block this port from
the internet only, unless you have "clients" on the internet, who want to get
their mail.
In that case, some other security measures should be applied.
You don't want just anybody to read your mail!
113
IDENT.
This port is used to ask a computer to identify itself.
It is sometimes used by some servers you want to connect to, before they allow
you to connect, but it is also an easy port to look for by the hackers!
So, considering the insecurity following this service, it is not really
useful anymore, and is not widely used.
135
RPC.
This port is for Remote Procedure Call, a Microsoft invention.
This port is NOT to be open for the internet!
Several vulnerabilities have been present in this service, among programs
exploiting such vulnerabilities is the infamous MSBlaster worm.
137-139
NetBIOS
Windows protocol capable of running "on top" of TCP/IP - only you do NOT want
that to happen over the internet!
Be VERY sure to disable ALL communication over these ports from the internet.
This is where drive sharing and other dangerous things happen.
First thing to do is to disable NetBIOS over TCP/IP, which is possible if you
don't need to have LAN communication on the same network adapter you are using
for internet communication, but personally, I would NEVER trust Windows alone
on this issue.
ALWAYS have a firewall in place to take care of these ports.
See also port 445.
143
IMAP.
Same story as for port 110.
IMAP is the "next generation" of the POP protocol, and you only need to have
this port open, if you have a mail server installed offering the IMAP service.
- and you only need to open the port to the internet, if you have "customers"
who need to fetch mail through IMAP on your server.
161
SNMP.
Name resolution and configuration information to be controlled remotely.
It is very important to protect this port from the internet.
443
HTTPS.
Web server port used for secure communication.
Should only be open if you have a web server installed, and then only, if that
web server offers secure communication.
See also port 80.
445
MSFT DS.
Starting with Windows 2000, file sharing no longer need to run on top of
NetBIOS which in turn runs on top of TCP/IP, now it can run directly on top of
TCP/IP using port 445.
So, if the client has NetBIOS over TCP/IP enabled, it will try on both port
139 and 445, preferring 445 and resetting 139, if port 445 answers.
A server (windows 2000 or later) will listen for connections on port 445
always, and on port 139 only if NetBIOS over TCP/IP is enabled.
This ensures that the connection always take place on port 445 without NetBIOS
if possible, and on port 139 using NetBIOS otherwise, if THAT is possible -
although my own experience is that port 139 will always be used if possible...
(Note that a Windows NT 4.0 can NOT map drives on a Windows 2000 that has
NetBIOS over TCP/IP disabled. Windows NT 4.0 will only try port 139, and the
Windows 2000 will only listen on 445.)
Of course, you want to shield port 445 from the internet just as you would
port 139.
1080
ProxyPlus socks.
ProxyPlus uses this port as a proxy for socks.
Make sure it is closed for connections from the internet, or hacker can use
this port to attack other servers, making it look like YOU did it!
1433, 1434
MS-SQL.
Microsoft's SQL server and monitor.
If you have an SQL server installed, you probably want to protect these ports
from the internet.
By default, an SQL server is installed with a standard password, so until
something is done to configure the server, everybody can log on to it.
The infamous SQL Slammer exploited a security hole on port 1434.
1900
UPnP.
The UDP port of Universal Plug and Play.
Do NOT open this port to the internet.
See port 5000.
3389
MS Terminal Services.
Shut this off, unless you are a terminal server who needs to accept
connections from the internet.
Even then, you should probably at least have an ip-filter.
4480
ProxyPlus administration.
Used to administer ProxyPlus.
Make sure this port is NOT available to the internet!
4480
ProxyPlus proxy.
ProxyPlus uses this port to enable internal machines to access extern www
content.
This port should of course be open if you use ProxyPlus, otherwise ProxyPlus
will not work, but it should ONLY be visible to the internal network, NOT the
internet.
If it is, hackers can use your server to cover their tracks when attacking
web servers.
The attack will appear to come from YOU.
5000
UPnP.
Universal Plug And Play.
A new Windows "feature", which at least on Windows XP is enabled by default!
Make sure to protect this port VERY well from the internet!
If someone gets to it, your machine and data is toast.
See also port 1900.
5631-5632
pcanywhere.
Carefull! If you actually have PCAnywhere installed, it is probably for a reason, but don't let just anyone get in!
6588
AnalogX.
This neat little freeware proxy server uses port 6588 to service internal
clients connecting to web servers.
See port 4480.
6667
IRC.
You may need to have this port open, but make sure you know what you are doing.
8080
alternate HTTP.
Used as an alternative to port 80 by some www applications and proxy servers.
See port 80 and 4480.
Last revised: 2003-08-25
·