You don’t need to memorize 65,535 port numbers. In real-world IT work — from configuring firewalls to debugging network issues to hardening servers — the same 20 ports come up over and over.
Learn these 20. The rest you’ll look up when needed.
Don’t try to memorize this all at once. Read each port entry, think about the “Real-World Story”, and scan the security note. Come back here whenever you configure a firewall, open a port, or hit a network error. Within a month of real server work, these will be automatic.
The 20 Ports (Visual Reference)
🔵 Remote Access
Port 22 — SSH (Secure Shell)
Transport: TCP | Range: Well-Known
The most important port for any Linux/server admin. Every day you use SSH.
What it does: Encrypted remote terminal access. Type commands on a server 10,000 km away as if it’s your keyboard.
Real-World Story: An attacker runs an automated scan: nmap -p 22 0.0.0.0/0. Every server with port 22 open gets a barrage of brute-force login attempts — thousands per hour. If you allow password authentication, they will eventually get in.
- Disable password auth:
PasswordAuthentication noin/etc/ssh/sshd_config - Use SSH keys only (see SSH Key Management guide)
- Consider changing to a non-standard port (obscurity, not real security)
- Use
fail2banto auto-block IPs after failed attempts
See active SSH connections to your server right now
- •Each line is one active SSH session
- •The 'Peer Address' is the IP of the person connected
Port 3389 — RDP (Remote Desktop Protocol)
Transport: TCP | Range: Registered
Windows equivalent of SSH — but with a full graphical desktop.
Real-World Story: RDP is one of the most attacked ports on the internet. In 2020, ransomware groups gained access to thousands of companies through exposed RDP ports with weak passwords. Never expose port 3389 directly to the internet.
If you need RDP access, put it behind a VPN or use a jump server. Port 3389 should never be in a public firewall allow rule.
🟢 Web Traffic
Port 80 — HTTP (HyperText Transfer Protocol)
Transport: TCP | Range: Well-Known
The original unencrypted web. But don’t block it — modern servers use it to redirect to HTTPS.
What it does: Serves web pages. No encryption. Everything you send on HTTP is readable by anyone between you and the server (your ISP, coffee shop WiFi owner, etc.)
In 2026: Browsers show “Not Secure” warnings for HTTP. Your web server should return a 301 redirect from port 80 → port 443. That’s the only legitimate use for port 80 today.
server {
listen 80;
return 301 https://$host$request_uri; # Redirect HTTP → HTTPS
}Port 443 — HTTPS (HTTP Secure)
Transport: TCP | Range: Well-Known
The encrypted web. ~95% of all web traffic today.
What it does: Same as HTTP but wrapped in TLS encryption. Your browser and the server negotiate an encryption key, then all data is encrypted. Your ISP can see you visit google.com but can’t read what you searched.
You’ll hear “SSL” used everywhere, but SSL is deprecated. Modern HTTPS uses TLS 1.2 or TLS 1.3. When someone says “SSL certificate”, they mean a TLS certificate. Same thing, different name.
Port 25 — SMTP (Simple Mail Transfer Protocol)
Transport: TCP | Range: Well-Known
Server-to-server email delivery. Your mail server uses port 25 to send email to other mail servers.
Important: Your ISP almost certainly blocks outbound port 25 to prevent spam. If you run your own mail server, you’ll need special ISP approval or use a transactional email provider (SendGrid, AWS SES).
Port 587 — SMTP Submission (with STARTTLS)
Transport: TCP | Range: Registered
Client-to-server email sending. This is the port your email client (Thunderbird, Outlook) uses to send email through your email provider (Gmail, Fastmail).
Rule of thumb: Port 25 = server-to-server. Port 587 = your email app sending email.
Port 993 — IMAPS (IMAP over SSL/TLS)
Transport: TCP | Range: Registered
Encrypted email retrieval. Your email client connects here to sync your inbox.
IMAP vs POP3: IMAP (ports 143/993) syncs your mailbox across devices — delete on phone, it’s deleted everywhere. POP3 (port 110) downloads and removes from server — old, avoid it.
🟠 File Transfer
Port 21 — FTP Control
Transport: TCP | Range: Well-Known
The original file transfer protocol — completely unencrypted. Avoid in 2026.
Real-World Story: In the 1990s, FTP was how the web worked. Developers would FTP files to their servers. Today, any FTP session on a coffee shop WiFi is fully readable to anyone listening. Your password, your files, all transmitted in plain text.
Use SFTP (SSH File Transfer Protocol, also on port 22) or FTPS (FTP over TLS, port 990) instead. They encrypt everything. Most modern FTP clients support SFTP.
Port 20 — FTP Data
Transport: TCP | Range: Well-Known
FTP splits into TWO connections: port 21 for commands, port 20 for actual data transfer. This is why FTP has “active” and “passive” mode — they handle the data channel differently.
🟡 Databases
Port 3306 — MySQL / MariaDB
Transport: TCP | Range: Registered
The most common web application database port.
Security Rule: MySQL should never be exposed to the internet. In your server firewall, port 3306 should only accept connections from 127.0.0.1 (localhost) or your application server’s private IP.
Block port 3306 from all external connections (Linux UFW firewall)
- •Your web app connects to MySQL on localhost — no internet exposure needed
- •If you see port 3306 open on a public IP scan, that's a critical security misconfiguration
Port 5432 — PostgreSQL
Transport: TCP | Range: Registered
Same rules as MySQL. PostgreSQL listens on 5432. Never expose to internet. Same firewall rules apply.
Port 6379 — Redis
Transport: TCP | Range: Registered
Redis (cache, message broker, queue) listens on 6379. Default Redis install has no authentication. This has caused countless breaches.
In 2018+, hundreds of thousands of Redis instances exposed on port 6379 were wiped by ransomware because default Redis has no password. Always: bind Redis to localhost only and set a strong password in redis.conf.
Port 27017 — MongoDB
Transport: TCP | Range: Registered
MongoDB default port. Default install (older versions) had no authentication enabled — same problem as Redis.
Historical note: The “MongoDB Ransomware” attacks of 2017 exposed 28,000 MongoDB instances because they were exposed on port 27017 with no auth. ~$680,000 in ransom was paid.
🟣 Infrastructure
Port 53 — DNS
Transport: UDP (small queries) + TCP (large responses) | Range: Well-Known
Every single web request starts with a DNS lookup on port 53. It’s the most used port on the internet that most people never think about.
DNS Amplification Attacks: Attackers use open DNS resolvers (port 53 open to internet) to amplify DDoS attacks. A 1KB DNS query can be amplified into a 60KB response — 60x amplification. Never run an open DNS resolver.
Port 67/68 — DHCP
Transport: UDP | Range: Well-Known
How your computer gets its IP address automatically when it connects to a network.
- Server listens on port 67 (DHCP server)
- Client sends from port 68 (DHCP client)
Rogue DHCP Attack: An attacker on your network runs a fake DHCP server. Clients connect and get the attacker’s IP as their default gateway — all traffic routed through the attacker. This is a real attack on enterprise networks.
Port 123 — NTP (Network Time Protocol)
Transport: UDP | Range: Well-Known
Time synchronization. Your server uses NTP to keep its clock accurate.
Why it matters for security: TLS certificates have an expiry time. If your server clock is wrong by more than a few minutes, TLS handshakes will fail. SSH keys have timestamps. Logs become unreliable. Time is foundational to security.
Port 161 — SNMP (Simple Network Management Protocol)
Transport: UDP | Range: Registered
Used for monitoring network devices (routers, switches, printers). Your monitoring system (Nagios, Zabbix, Datadog) polls devices on port 161 to collect metrics.
Security risk: SNMP v1 and v2 use “community strings” (essentially plain-text passwords). Default community string: public. Many network devices shipped with this default and were never changed — an attacker can read your entire network topology.
Port 514 — Syslog
Transport: UDP | Range: Well-Known
System logs sent from servers to a central log collector. Your servers stream their logs to a SIEM or log aggregator on port 514.
Security note: Traditional syslog on UDP 514 is unencrypted and unconfirmed (UDP = fire and forget). For security-critical environments, use syslog-ng over TCP 6514 (TLS-encrypted).
Quick Reference Card
| Port | Protocol | Transport | Remember It As |
|---|---|---|---|
| 20 | FTP Data | TCP | File transfer data (avoid — use SFTP) |
| 21 | FTP Control | TCP | File transfer commands (avoid — use SFTP) |
| 22 | SSH / SFTP | TCP | Your daily driver — secure remote access |
| 25 | SMTP | TCP | Server-to-server email delivery |
| 53 | DNS | UDP/TCP | Every web request uses this first |
| 67/68 | DHCP | UDP | How computers get their IP address |
| 80 | HTTP | TCP | Redirect to 443 only — never serve real content |
| 110 | POP3 | TCP | Old email fetch — avoid |
| 123 | NTP | UDP | Clock sync — critical for TLS and logs |
| 143 | IMAP | TCP | Email sync (unencrypted) |
| 161 | SNMP | UDP | Network device monitoring |
| 443 | HTTPS | TCP | The encrypted web |
| 514 | Syslog | UDP | Central log collection |
| 587 | SMTP/TLS | TCP | Email sending from clients |
| 993 | IMAPS | TCP | Encrypted email sync (use this, not 143) |
| 3306 | MySQL | TCP | Localhost only. Never expose. |
| 3389 | RDP | TCP | Windows remote desktop — never public |
| 5432 | PostgreSQL | TCP | Localhost only. Never expose. |
| 6379 | Redis | TCP | Localhost only + auth required |
| 27017 | MongoDB | TCP | Localhost only + auth required |
Key Takeaways
- Memorize the Big 5: 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 3306 (MySQL). They appear in 80% of server work.
- Database ports (3306, 5432, 6379, 27017) should NEVER be public — bind to localhost only.
- Port 22 needs hardening — disable password auth, use SSH keys, consider fail2ban.
- FTP (20/21) is dead — use SFTP (port 22) or FTPS (990). Plain FTP transmits passwords in cleartext.
- Port 80 in 2026 has one job: redirect to 443. Nothing else.
- SNMP and Syslog have unencrypted defaults — upgrade to their TLS variants in production.
The 20 ports that cover 95% of real-world server administration. You can now read firewall rules, understand network scans, and spot critical security misconfigurations by port number alone.
Next Steps in This Series
- How TCP & UDP Work Together — Understand the transport layer that uses these ports
- What is a Firewall? — Learn to write rules that control which ports are accessible
- Reading the Network: netstat, ss & nmap — See every open port on your system
Test Your Port Knowledge
Take a quick 3-question quiz to check your understanding.