There are hundreds of ports and services registered with the Internet Assigned Number Authority (for the complete list, some 280kb, look here). In practice, less than one hundred are in common use.
Services have assigned ports so that a client can find the service easily on a remote host. For example, telnet servers listen at port 23, and SMTP (Simple Mail Transport Protocol) servers listen at port 25. Client applications, like a telnet program or mail reader, use randomly assugned ports typically greater than 1023.
Although a particular service may have an assigned port, there is nothing about TCP/IP to prevent most services from listening to another port. A common example of this is HTTP, the protocol used for accessing Web servers. The assigned port for HTTP is port 80, but other ports are relatively common. An intruder who sets up a backdoor may use an assigned port for an unregistered service (like a program that provides a root shell on demand), or the intruder may put a service, like a telnet server, on some other port than port 23. In other words, there is nothing sacred about port numbers--it is just customary to use them, as well as making things a lot simpler.
The purpose of this table is to list some of the port addresses associated either with popular services, or port addresses associated with services that have often been abused in the past. This list is by no means complete, but has in the past proven to be helpful. For example, if you have set up a firewall, and are noticing lots of connection attempts to port 113/tcp, you might be worried about an attack. But port 113/tcp is used by mail transport agents (sendmail in particular) in an attempt to identify the name of the user sending email.
Note also that many port addresses appear twice: once for a TCP-based service and again for a different UDP-based one. In the past, the custom was to allocated each type of port independently, so port 514/tcp belongs to the remote shell (rsh) and 514/udp is used by the system logger (syslogd). More recently, ports of both types have been assigned together, for example, ports 135, 138, and 139, both TCP and UDP, are assigned to Microsoft services.
In the list that follows you will find a column labeled "Safe?" No service is inherently safe, but some are much more dangerous than others. In most cases, things marked with a Y are considered useful and are more or less safe. There are certain protocols, such as SMB (ports 138 and 139) that are considered useful but not at all safe to pass through a firewall. Unsafe services are listed with an N.
A few services are listed with a dash. These services can be used more securely by limiting access to particular server addresses only. In the recent past, DNS servers have been attacked, gaining root access, and SMTP servers have always been a problem. Where ever practical, put public servers outside of your internal network. For the greatest level of security, permit no incoming connections to servers at all, with the exception of strongly authenticated and encrypted connections (such as SSH).
The Security Statistics site has a search feature and comprehenive ports list, and includes ports often used by Trojans like SubSeven.
Port Name Proto Safe? Description 1 tcpmux TCP N Connection-oriented portmapper-like service, can start applications, cannot reject selected hosts 7 echo TCP/UDP N Echo server, returns what is sent 9 discard TCP/UDP Y A sink, like /dev/null 11 systat TCP N May be connected to systat, w, or ps 13 daytime TCP/UDP Y Sends time-of-day (date) 15 netstat TCP N Similar to systat 19 chargen TCP/UDP N Random character generator 20 ftpdata TCP N Data connection from FTP server 21 ftp TCP N Control connection from FTP client (use SSH) 23 telnet TCP N Server port for Telnet (use SSH) 25 smtp TCP - Server port for SMTP (sendmail) 37 time TCP/UDP Y Time of day in machine readable form 42 wins TCP/UDP N WINS server often found here (not 1512) 43 whois TCP N whois server (rs.internic.net) 49 tacacs TCP N TACACS authentication service Port Name Proto Safe? Description 53 domain TCP/UDP - Domain Name Service, permit only to servers, TCP only for zone transfers; use up-to-date name servers!!! 67 bootp UDP N Useful for probing networks (NIS name) 69 tftp UDP N Unauthenticated file transfer 70 gopher TCP - Safer if controlled using proxy servers 79 finger TCP N Useful for collecting user names and password cracking information 80 http TCP - WWW, safer if controlled using proxy servers 87 link TCP N Like talk, rare, good trap port 88 kerberos UDP - Used for Kerberos authentication, required if external use of Kerberos, block otherwise (also 749-751) 95 supdup TCP N Port probed by hackers, good trap port 109 pop-2 TCP - Used for collecting e-mail from an external server, block if unused 110 pop-3 TCP - Like pop-2 Port Name Proto Safe? Description 111 sunrpc TCP/UDP N The portmapper, block it 113 auth TCP ? Identification, RFC 931 and 1413 119 nntp TCP Y Safest if permitted only between server and newsfeed 123 ntp UDP - Network Time Protocol (update your server!) 135 loc-srv TCP/UDP N NT's RPC service (like portmapper) 137 nbname TCP/UDP N NetBEUI over TCP/IP name service 138 nbdgram UDP N NetBEUI over TCP/IP (NB datagram) 139 nbsess TCP N NetBEUI over TCP/IP (NB session) 143 imap TCP - Used for collecting e-mail (pop) 144 NeWs TCP N NeWs windowing system, dangerous 161 snmp UDP N Useful for probing, reconfiguring network devices; dangerous 162 snmptrap UDP ? Block, unless you receive SNMP traps from outside your border 177 xdmcp UDP N Used by X Display Manager for logins 179 bgp TCP Y Border Gateway Protocol Port Name Proto Safe? Description 389 ad TCP N Win2K Active Directory, only internal use 443 ssl TCP - Used by SSL for https (secure Web transfer) 445 LDAP TCP N Directory service, found on Win2k 512 exec TCP N Used by rexec(), no logging, unsafe 513 login TCP N Used by rlogin, trust makes it unsafe 514 shell TCP N Used by rsh, interactive shell without any logging (also rcp) 515 printer TCP N Used by lpr, but not through firewall 512 biff UDP N Mail notifier, buggy 513 who UDP N Remote who, good trap port 514 syslog UDP N Denial of service attack on your logging system 517 talk UDP N Sets up TCP connection in random port 518 ntalk UDP N Like talk 520 route UDP N Used by routed, don't accept from outside 540 uucp TCP N Historically unsafe, mostly obsolete 543 klogind TCP N Kerberos Login port, May 2000 buffer overflow target 993 i-ssl TCP Y IMAP over SSL Port Name Proto Safe? Description 1025 listen TCP N System V R3 listener, used by UUCP 1028 unknown TCP N NT inetinfo 1433 ms-sql TCP N MSDE and SQL Server, w/o patches System login 1723 PPTPC TCP ? Control channel (DoS) 1725 PPTP TCP ? Microsoft's tunneling protocol (type 47) 2000+ openwin TCP N Like X11, block range of ports 4000 ICQ UDP N Control port, requires a range of TCP ports, but can also use SOCKS 4 or 5 2049 nfs TCP/UDP N Default NFS port; very dangerous 2766 listen TCP N System V R3, like tcpmux, but worse 4144 CIM TCP ? Compuserve Information Manager 5190 AOL TCP ? America On Line via TCP 5556 rwd TCP N HP's remote watch daemon 6000+ x11 TCP N X11, block range of ports 6667 IRC TCP N Internet Relay Chat, trapdoor client distributed, CB radio of Internet 7000 xfont TCP N X Window font server 8002 rcgi TCP N PERL.NLM on Novell 4.1 Webserver (execute any Perl script on server) 12345 n/a TCP N Used by NetBus v1 (also 12346) 20123 n/a TCP N Used by NetBus v2 (also 20124) 27374 n/a TCP N Used by SubSeven v2 trojan 31337 n/a TCP N Used by Back Orifice and some other hacker backdoors like socdmini (ElEET)
This list is provided as is. You may use at at your own risk. If you have additions or corrections to suggest, send me email. Copyright, Rik Farrow, 1995-2001.