IP Port Checker
Search and reference 150+ common network ports. Look up port numbers, protocols, services, and security notes. Includes a visual port status simulator and complete TCP/UDP reference.
| Port | Protocol | Service | Description |
|---|
Port Status Simulator
This visual simulator demonstrates how port scanning results appear. Click any port to toggle its status between open, closed, and filtered. In real scanning scenarios, these statuses indicate whether a service is listening, not listening, or blocked by a firewall.
Simulated Host: 192.168.1.100
TCP vs UDP Protocols
Every network port operates using one of two transport protocols: TCP or UDP. Some services use both protocols on the same port number for different purposes. Understanding the distinction between these protocols is basic to network administration and security.
TCP (Transmission Control Protocol)
Connection-oriented protocol that establishes a session before sending data. Uses a three-way handshake (SYN, SYN-ACK, ACK) to establish connections.
- dependable delivery with acknowledgment
- Ordered packet delivery
- Error checking and retransmission
- Flow control and congestion management
- Higher overhead, slower than UDP
Used for: HTTP/HTTPS, SSH, FTP, SMTP, databases
UDP (User Datagram Protocol)
Connectionless protocol that sends data without establishing a session. No handshake, no acknowledgment, no guaranteed delivery.
- No delivery guarantee
- No ordering guarantee
- Minimal error checking
- No flow control
- Lower overhead, faster than TCP
Used for: DNS, DHCP, SNMP, streaming, VoIP, gaming
TCP is the correct choice when data integrity matters. Web pages, emails, file transfers, and database queries all require every byte to arrive correctly and in order. A missing packet in a web page means a broken page; a missing packet in a file transfer means a corrupt file.
UDP is the correct choice when speed matters more than perfection. Video streaming, voice calls, online gaming, and DNS lookups all tolerate occasional packet loss. Retransmitting a dropped video frame would cause a visible delay, which is worse than dropping the frame entirely. DNS lookups use UDP because the query and response are each small enough to fit in a single packet, making the overhead of a TCP handshake unnecessary.
Well-Known Ports Reference (0 to 1023)
Well-known ports are the foundation of internet communication. The Internet Assigned Numbers Authority (IANA) manages these assignments, and they are recognized globally across operating systems and network equipment. On Linux and Unix systems, binding to a well-known port (below 1024) requires root privileges, which provides a basic security mechanism preventing unprivileged users from impersonating system services.
Web Ports (80, 443, 8080, 8443)
Port 80 is the default for unencrypted HTTP traffic. When you type a URL without specifying a port, your browser connects to port 80. Port 443 handles HTTPS, the encrypted version of HTTP using TLS. Nearly all modern websites operate on port 443, and browsers display a padlock icon to indicate the encrypted connection.
Ports 8080 and 8443 are common alternative ports for HTTP and HTTPS. Development servers, proxy servers, and secondary web applications frequently use these ports to avoid conflicting with the primary web server on port 80/443. Many enterprise applications like Tomcat default to port 8080.
Email Ports (25, 465, 587, 110, 143, 993, 995)
Email communication uses multiple ports for different functions. Port 25 is the original SMTP port for server-to-server email delivery. Port 587 is the standard submission port for email clients to send outgoing mail through an SMTP server, typically with authentication. Port 465 was briefly assigned for SMTPS (SMTP over SSL) and has been re-assigned for this purpose after years of informal use.
For receiving email, port 110 handles POP3 (Post Office Protocol), which downloads messages to the client and typically deletes them from the server. Port 143 handles IMAP (Internet Message Access Protocol), which synchronizes messages between the client and server without deleting them. Ports 993 (IMAPS) and 995 (POP3S) are the encrypted versions of these protocols.
File Transfer Ports (20, 21, 22, 69)
FTP uses two ports: port 21 for control commands and port 20 for data transfer in active mode. In passive mode, the data connection uses a negotiated high-numbered port instead of port 20. SFTP (SSH File Transfer Protocol) operates over port 22, the same port as SSH, providing encrypted file transfer without the complexity of FTP's dual-port architecture.
Port 69 handles TFTP (Trivial File Transfer Protocol), a simplified UDP-based file transfer protocol used primarily for network booting (PXE), firmware updates, and configuration file transfer on network equipment. TFTP has no authentication, making it suitable only for trusted internal networks.
Remote Access Ports (22, 23, 3389, 5900)
Port 22 serves SSH (Secure Shell), the encrypted remote access protocol that replaced Telnet for command-line administration. SSH also provides tunneling, SFTP file transfer, and SCP file copying through the same port. Port 23 is the legacy Telnet port, which transmits all data including passwords in plain text. Telnet should never be used on untrusted networks.
Port 3389 handles RDP (Remote Desktop Protocol), Microsoft's graphical remote access protocol for Windows systems. Port 5900 is the default for VNC (Virtual Network Computing), an open-source graphical remote access protocol. Both RDP and VNC should be protected behind a VPN when exposed to the internet due to frequent targeting by attackers.
DNS Port (53)
Port 53 handles DNS (Domain Name System) queries and responses. DNS primarily uses UDP for standard queries because each query and response fits in a single packet, making the overhead of TCP unnecessary. DNS falls back to TCP for zone transfers between DNS servers and for responses larger than 512 bytes (or 4096 bytes with EDNS).
DNS over HTTPS (DoH) on port 443 and DNS over TLS (DoT) on port 853 are newer encrypted DNS protocols that prevent eavesdropping on DNS queries. These protocols are increasingly supported by modern operating systems and browsers.
Common Registered Ports (1024 to 49151)
Database Ports
Database servers listen on well-established registered ports. MySQL defaults to port 3306, PostgreSQL to 5432, Microsoft SQL Server to 1433, Oracle Database to 1521, MongoDB to 27017, and Redis to 6379. These defaults are so widely known that changing database ports is a common (though limited) security measure called security through obscurity.
Exposing database ports directly to the internet is a significant security risk. Automated scanning tools continuously probe these ports looking for databases with weak credentials or known vulnerabilities. Best practice is to bind database services to localhost (127.0.0.1) or a private network interface and access them through SSH tunnels or VPN connections.
Application Server Ports
Web application servers and frameworks use various registered ports. Node.js applications commonly run on port 3000. Ruby on Rails defaults to port 3000 as well. Django uses port 8000. Flask uses port 5000. These development ports are typically proxied behind Nginx or Apache on ports 80/443 in production environments.
Message Queue and Cache Ports
RabbitMQ listens on port 5672 for AMQP connections and port 15672 for its management interface. Apache Kafka uses port 9092. Memcached listens on port 11211. Elasticsearch communicates on port 9200 for REST API access and port 9300 for inter-node transport. These services form the infrastructure layer of modern applications and should be restricted to internal network access.
Monitoring and Management Ports
SNMP (Simple Network Management Protocol) uses UDP ports 161 and 162. Port 161 handles queries from management stations, while port 162 receives trap notifications from managed devices. Prometheus metrics are typically exposed on port 9090, and Grafana serves its dashboard on port 3000.
How to Check Port Status
Checking whether a port is open, closed, or filtered on a remote host requires sending network probes and interpreting the responses. Several command-line tools handle this task across different operating systems.
Using Telnet
Telnet attempts a TCP connection to the specified port. If the connection succeeds, the port is open. If it refuses, the port is closed. If it times out, the port is filtered by a firewall. While Telnet itself is an insecure protocol, using it as a port testing tool is safe because no data is exchanged.
Using Netcat (nc)
Netcat's -z flag performs a port scan without sending data, and -v enables verbose output. You can scan a range of ports by specifying start-end. Netcat is available on Linux and macOS by default.
Using Nmap
Nmap is the most complete port scanning tool. The -p flag specifies ports, -sU scans UDP ports (which is slower than TCP scanning), and -sV detects service versions. Nmap distinguishes between open, closed, filtered, and unfiltered states, providing more detailed information than simpler tools.
Using PowerShell (Windows)
PowerShell's Test-NetConnection cmdlet tests TCP connectivity to a specific port. The output shows whether the TCP connection succeeded, the remote address, and the round-trip time. This is the preferred method on Windows systems without third-party tools installed.
Using curl
Curl can test TCP port connectivity using the telnet:// protocol prefix. If the connection establishes, the port is open. The -v flag provides verbose output showing the connection attempt. This method works on any system with curl installed.
Firewall Configuration and Port Management
Firewalls control which ports accept incoming connections, which ports allow outgoing connections, and which traffic is blocked. Proper firewall configuration is the primary defense against unauthorized access through open ports.
Default Deny vs Default Allow
The two basic firewall approaches are default deny (block all traffic except explicitly allowed ports) and default allow (allow all traffic except explicitly blocked ports). Security best practice is default deny. Start with all ports closed and open only the ports required for your specific services.
A basic firewall policy for a web server running SSH, HTTP, and HTTPS would allow inbound connections on ports 22, 80, and 443 only, while blocking all other inbound ports. Outbound traffic is typically less restricted, allowing the server to make DNS queries (port 53), download updates (ports 80/443), and send email (port 587).
Linux iptables and nftables
These iptables rules allow incoming connections on ports 22, 80, and 443, then drop all other incoming traffic. In production, you would also add rules for established connections, loopback interface, and ICMP ping.
UFW (Uncomplicated Firewall)
UFW is a easy to use frontend for iptables available on Ubuntu and Debian systems. It simplifies firewall management with easy to use syntax while generating the corresponding iptables rules behind the scenes.
Windows Firewall
Windows Defender Firewall manages port access through the Windows Security interface or PowerShell commands. The firewall supports inbound and outbound rules, application-based rules (allowing a specific program regardless of port), and port-based rules (allowing a specific port regardless of application).
Cloud Security Groups
Cloud providers (AWS, GCP, Azure) use security groups or network ACLs to control port access at the virtual network level. These function as virtual firewalls applied to instances or subnets. Security groups in AWS are stateful (return traffic is automatically allowed), while network ACLs are stateless (both inbound and outbound rules must explicitly allow traffic).
Port Security Best Practices
Network security starts with controlling which ports are accessible and protecting the services that run on them. Here are the practices I follow when hardening servers and networks.
reduce Open Ports
Every open port is a potential entry point. Run only the services you need and close everything else. A web server should have ports 80, 443, and 22 open. A database server should have its database port open only to application servers, not to the public internet. Regularly audit open ports with nmap scans to identify services that may have been installed or started without your knowledge.
Change Default Ports for SSH
Moving SSH from port 22 to a non-standard port (such as 2222 or any high-numbered port) eliminates the vast majority of automated brute-force attacks. Automated scanners target port 22 by default. This is not a substitute for strong authentication (use SSH keys, disable password authentication), but it dramatically reduces log noise and the volume of attack attempts.
Use Port Knocking
Port knocking is a technique where a port remains closed and invisible to scanners until a specific sequence of connection attempts on other ports triggers the firewall to open it temporarily. For example, attempting connections to ports 7000, 8000, and 9000 in sequence within 10 seconds causes the firewall to open port 22 for the source IP. This adds an extra layer of security for sensitive services.
Implement Network Segmentation
Separate internal services from public-facing services using VLANs, subnets, or separate network interfaces. Database servers, cache servers, and application backends should exist on an internal network that is not routable from the internet. Only reverse proxy or load balancer servers need public-facing ports.
Monitor Port Activity
Logging and monitoring network connections reveals unauthorized access attempts and unusual traffic patterns. Tools like fail2ban automatically block IP addresses that show brute-force patterns against SSH, web servers, and email services. Centralized log analysis platforms (ELK Stack, Splunk, Graylog) provide visibility into port access patterns across your entire infrastructure.
Port Forwarding Explained
Port forwarding (also called port mapping or NAT forwarding) directs incoming traffic on a specific port from a router or firewall to a device on the internal network. This is necessary when you want external users to access a service running behind a NAT (Network Address Translation) gateway.
How Port Forwarding Works
Your router has one public IP address visible to the internet. Behind the router, multiple devices share this public IP using private addresses (192.168.x.x, 10.x.x.x, 172.16-31.x.x). Without port forwarding, incoming connections from the internet have no way to reach devices on the private network.
A port forwarding rule tells the router: "When incoming traffic arrives on port X, forward it to internal device Y on port Z." For example, forwarding public port 443 to internal address 192.168.1.50 port 443 directs all HTTPS traffic to the internal web server. The router rewrites the destination IP from its public address to the internal address, maintaining the connection transparently.
Common Port Forwarding Scenarios
- Hosting a web server: Forward ports 80 and 443 to your web server's internal IP
- Gaming servers: Forward the game's specific port (Minecraft uses 25565, Counter-Strike uses 27015)
- Security cameras: Forward the camera's web interface port to allow remote viewing
- Remote desktop: Forward port 3389 (RDP) or 5900 (VNC) to the target computer
- SSH access: Forward port 22 (or a custom port) to allow remote command-line access
Security Considerations for Port Forwarding
Port forwarding exposes internal services to the internet, which introduces security risks. Before forwarding any port, ensure the service behind it is properly secured with strong authentication, up-to-date software, and appropriate access controls. For sensitive services like RDP and VNC, consider using a VPN instead of direct port forwarding.