Port Description

Below is a short description of some various TCP/UDP ports in use on the internet. This information can be very useful during the configuration of a firewall. This description is in no way complete. At first, I wanted to make a complete list of ports that I had been attacked on, but that job has proven to be too tedious, so now this page only contains the most important ports. A complete list of ports and their use can be found at Neohapsis.

Whenever I write that a port should be "closed", what I really mean is that it should be "hidden" (stealthed) completely from the internet. A port appearing not even to exist is far better than a port simply refusing to accept connections. This is due to various reasons, that will not be covered here. Just remember, if you have a client PC, it should in theory be completely hidden from other machines on the internet, except when YOU want to connect to something. If you have a server, only ports pertaining to the services the server provide, should be visible to the internet. This also goes for ports that you don't use! Otherwise, you may be vulnerable to attacks by "trojans", who creates a backdoor into your system through an unused port.

FTP data link. This port it probably the toughest one to configure, so I have assigned a separate page on FTP configuration in a firewall. See also port 21.

FTP. This port should only be open, if you have a FTP server installed. See also port 20.

Telnet Should only be open, if you have a telnet server installed, and you are sure your security is fine.

SMTP. Should only be open, if you have a mail server installed. This port is used to deliver mail. Be carefull, that the mail server is not configured as an open relay, this is how most of the spam on the internet gets around! Don't be a part of it! Your mail server should only forward mails coming from YOU. See also port 110 and 143.

DNS. Used for domain name resolving. You should allow your applications to do outbound UDP and TCP traffic to port 53 and inbound UDP traffic from port 53, or they will not be able to find anything on the internet. However, unless you have a registered DNS server (and you probably don't!), there is no reason to allow inbound traffic to port 53, neither UDP or TCP. Don't let everybody use YOUR DNS server, if you have one at all. Note that both UDP and TCP outbound to port 53 should be allowed. If an application wants to resolve something, it sends UDP packets to the DNS servers configured in the TCP/IP protocol (probably just your ISP's name servers). If the response is larger than 512 bytes, which is what fits in a UDP packet, it will try again using TCP. Note that a reply from a UDP port 53 may arrive so late, that the originating port is closed in the meantime. This may cause the firewall to complain about such a reply. A way around it is to simply allow all UDP packets from port 53 to any application, even if the port is not currently open. If you don't like that, you can also disallow all UDP packets from port 53, but then you have to make sure your firewall is configured to allow such packets to applications that actually need them, BEFORE it applies the disallow rule. See also how to set up a firewall for a DNS server

Finger. Should only be open, if you have a finger server installed. This protocol is not used much anymore.

HTTP. Should only be open, if you have a web server installed. Note, that some versions of windows and other programs may automatically install a web server, so this is obviously an easy point of attack, especially since IIS is such a buggy product. Make sure to disable access to this port from the internet - except on your web server, of course. See also port 443.

POP3. Should only be open, if you have a mail server installed. This port is used to fetch mail from a mail server. If you do indeed have a mail server installed, you should block this port from the internet only, unless you have "clients" on the internet, who want to get their mail. In that case, some other security measures should be applied. You don't want just anybody to read your mail!

IDENT. This port is used to ask a computer to identify itself. It is sometimes used by some servers you want to connect to, before they allow you to connect, but it is also an easy port to look for by the hackers! So, considering the insecurity following this service, it is not really useful anymore, and is not widely used.

RPC. This port is for Remote Procedure Call, a Microsoft invention. This port is NOT to be open for the internet! Several vulnerabilities have been present in this service, among programs exploiting such vulnerabilities is the infamous MSBlaster worm.

NetBIOS Windows protocol capable of running "on top" of TCP/IP - only you do NOT want that to happen over the internet! Be VERY sure to disable ALL communication over these ports from the internet. This is where drive sharing and other dangerous things happen. First thing to do is to disable NetBIOS over TCP/IP, which is possible if you don't need to have LAN communication on the same network adapter you are using for internet communication, but personally, I would NEVER trust Windows alone on this issue. ALWAYS have a firewall in place to take care of these ports. See also port 445.

IMAP. Same story as for port 110. IMAP is the "next generation" of the POP protocol, and you only need to have this port open, if you have a mail server installed offering the IMAP service. - and you only need to open the port to the internet, if you have "customers" who need to fetch mail through IMAP on your server.

SNMP. Name resolution and configuration information to be controlled remotely. It is very important to protect this port from the internet.

HTTPS. Web server port used for secure communication. Should only be open if you have a web server installed, and then only, if that web server offers secure communication. See also port 80.

MSFT DS. Starting with Windows 2000, file sharing no longer need to run on top of NetBIOS which in turn runs on top of TCP/IP, now it can run directly on top of TCP/IP using port 445. So, if the client has NetBIOS over TCP/IP enabled, it will try on both port 139 and 445, preferring 445 and resetting 139, if port 445 answers. A server (windows 2000 or later) will listen for connections on port 445 always, and on port 139 only if NetBIOS over TCP/IP is enabled. This ensures that the connection always take place on port 445 without NetBIOS if possible, and on port 139 using NetBIOS otherwise, if THAT is possible - although my own experience is that port 139 will always be used if possible... (Note that a Windows NT 4.0 can NOT map drives on a Windows 2000 that has NetBIOS over TCP/IP disabled. Windows NT 4.0 will only try port 139, and the Windows 2000 will only listen on 445.) Of course, you want to shield port 445 from the internet just as you would port 139.

ProxyPlus socks. ProxyPlus uses this port as a proxy for socks. Make sure it is closed for connections from the internet, or hacker can use this port to attack other servers, making it look like YOU did it!

1433, 1434
MS-SQL. Microsoft's SQL server and monitor. If you have an SQL server installed, you probably want to protect these ports from the internet. By default, an SQL server is installed with a standard password, so until something is done to configure the server, everybody can log on to it. The infamous SQL Slammer exploited a security hole on port 1434.

UPnP. The UDP port of Universal Plug and Play. Do NOT open this port to the internet. See port 5000.

MS Terminal Services. Shut this off, unless you are a terminal server who needs to accept connections from the internet. Even then, you should probably at least have an ip-filter.

ProxyPlus administration. Used to administer ProxyPlus. Make sure this port is NOT available to the internet!

ProxyPlus proxy. ProxyPlus uses this port to enable internal machines to access extern www content. This port should of course be open if you use ProxyPlus, otherwise ProxyPlus will not work, but it should ONLY be visible to the internal network, NOT the internet. If it is, hackers can use your server to cover their tracks when attacking web servers. The attack will appear to come from YOU.

UPnP. Universal Plug And Play. A new Windows "feature", which at least on Windows XP is enabled by default! Make sure to protect this port VERY well from the internet! If someone gets to it, your machine and data is toast. See also port 1900.

pcanywhere. Carefull! If you actually have PCAnywhere installed, it is probably for a reason, but don't let just anyone get in!

AnalogX. This neat little freeware proxy server uses port 6588 to service internal clients connecting to web servers. See port 4480.

IRC. You may need to have this port open, but make sure you know what you are doing.

alternate HTTP. Used as an alternative to port 80 by some www applications and proxy servers. See port 80 and 4480.


Last revised: 2003-08-25