Network ports are virtual endpoints that allow multiple services to share a single IP address. Think of an IP address as a building's street address, and ports as the apartment numbers within that building. When data arrives at a server's IP address, the port number tells the operating system which application should receive that data. Ports are numbered from 0 to 65535 and divided into three ranges: Well-Known Ports (0-1023): Reserved for standard system services and protocols. These require administrative privileges to use on most operating systems. Examples include HTTP (80), HTTPS (443), and SSH (22). Registered Ports (1024-49151): Assigned by IANA to specific applications and services. These can be used by regular user processes. Examples include MySQL (3306), PostgreSQL (5432), and RDP (3389). Dynamic/Private Ports (49152-65535): Used temporarily by client applications for outgoing connections. When your browser connects to a website, it uses a random port from this range as the source port. Understanding ports is essential for IT professionals because firewalls, security policies, and network troubleshooting all revolve around port numbers.

These ports handle the majority of internet traffic and are the most commonly encountered in daily IT work: HTTP — Port 80 (TCP): The original web protocol. All unencrypted web traffic uses port 80. Modern best practice is to redirect all port 80 traffic to HTTPS (port 443). If your web server is not responding, checking if it is listening on port 80 is the first troubleshooting step. HTTPS — Port 443 (TCP): Encrypted web traffic using TLS/SSL. This is now the standard for all websites. Browsers show a padlock icon for HTTPS connections. All sensitive data (logins, payments, personal information) must use HTTPS. SMTP — Port 25 (TCP): Simple Mail Transfer Protocol for sending email between mail servers. Port 25 is often blocked by ISPs to prevent spam. For sending email from applications, use port 587 (submission) with authentication. SMTP Submission — Port 587 (TCP): Used by email clients to submit outgoing mail to their mail server. Requires authentication and supports STARTTLS encryption. This is the correct port for configuring email clients. IMAP — Port 143 (TCP) / Port 993 (TCP with SSL): Internet Message Access Protocol for retrieving email. IMAP keeps messages on the server and synchronizes across devices. Port 993 is the encrypted version and should always be preferred. POP3 — Port 110 (TCP) / Port 995 (TCP with SSL): Post Office Protocol for downloading email. POP3 typically downloads and deletes messages from the server. Less common now that IMAP is preferred for multi-device access.

These ports are critical for system administration and file management: SSH — Port 22 (TCP): Secure Shell provides encrypted remote command-line access to servers. Also used for SFTP (SSH File Transfer Protocol) and SCP (Secure Copy). SSH is the standard for managing Linux/Unix servers and network equipment. Always use key-based authentication rather than passwords for production servers. RDP — Port 3389 (TCP/UDP): Remote Desktop Protocol for graphical remote access to Windows machines. RDP should never be exposed directly to the internet without a VPN or gateway due to frequent vulnerability discoveries. Use Network Level Authentication (NLA) and strong passwords. FTP — Port 21 (TCP, control) / Port 20 (TCP, data): File Transfer Protocol for transferring files. FTP is unencrypted and should be avoided for sensitive data. Use SFTP (port 22) or FTPS (port 990) instead. FTP's active/passive modes can cause firewall complications. Telnet — Port 23 (TCP): Unencrypted remote access protocol. Telnet sends everything in plaintext, including passwords. Never use Telnet for production systems — use SSH instead. Still occasionally used for testing TCP connectivity to specific ports (telnet server 80). VNC — Port 5900+ (TCP): Virtual Network Computing for graphical remote access. Port number is typically 5900 + display number. Like RDP, should not be exposed directly to the internet. Use SSH tunneling or VPN for secure access.

These ports support fundamental network operations: DNS — Port 53 (TCP/UDP): Domain Name System queries and responses. UDP is used for standard queries (most traffic), TCP is used for zone transfers and responses larger than 512 bytes. If DNS is not working, nothing else works properly. DHCP — Port 67 (server, UDP) / Port 68 (client, UDP): Dynamic Host Configuration Protocol assigns IP addresses automatically. DHCP uses broadcast, so it only works within the local network segment (or with DHCP relay agents for remote subnets). NTP — Port 123 (UDP): Network Time Protocol synchronizes clocks across devices. Accurate time is critical for authentication protocols, logging, certificates, and many applications. Misconfigured time causes mysterious authentication failures. SNMP — Port 161 (UDP) / Port 162 (UDP, traps): Simple Network Management Protocol for monitoring network devices. SNMP v1 and v2c use community strings (essentially passwords) in plaintext. Always use SNMP v3 with authentication and encryption for production monitoring. LDAP — Port 389 (TCP/UDP) / Port 636 (TCP, LDAPS): Lightweight Directory Access Protocol for directory services like Active Directory. Port 636 provides SSL/TLS encryption. Used for user authentication, group membership queries, and directory lookups. Syslog — Port 514 (UDP) / Port 6514 (TCP with TLS): System logging protocol for centralized log collection. Network devices, servers, and applications send log messages to a central syslog server for monitoring and analysis.

These ports are essential for application development and database administration: MySQL — Port 3306 (TCP): The default port for MySQL and MariaDB database connections. Never expose database ports directly to the internet. Use SSH tunnels, VPNs, or application-level access controls. PostgreSQL — Port 5432 (TCP): Default port for PostgreSQL database connections. Like MySQL, should be firewalled and accessed only from authorized application servers or through secure tunnels. MongoDB — Port 27017 (TCP): Default port for MongoDB. Historically a major security issue when left exposed to the internet without authentication. Always enable authentication and bind to localhost or specific IPs. Redis — Port 6379 (TCP): In-memory data store used for caching and message brokering. By default, Redis has no authentication — always configure a password and bind to specific interfaces in production. HTTP Alternatives — Ports 8080, 8443, 3000, 5000: Common alternative ports for web applications during development or when multiple services run on one server. Port 8080 is the most common alternative HTTP port. Port 8443 is common for alternative HTTPS. Docker — Port 2375 (TCP, unencrypted) / Port 2376 (TCP, TLS): Docker daemon API. Never expose port 2375 — it provides full root access to the host. Use port 2376 with TLS client certificates for remote Docker management.

Proper port management is fundamental to network security: Principle of Least Privilege: • Only open ports that are actively needed • Close all unnecessary ports in your firewall • Regularly audit which ports are listening (netstat -tuln or ss -tuln) • Remove or disable services you do not use Firewall Configuration: • Default deny: block all incoming traffic, then allow specific ports • Restrict source IPs where possible (SSH only from admin network, database only from app servers) • Use stateful firewalls that track connection state • Log denied connections for security monitoring Port Scanning Defense: • Regular port scans of your own infrastructure (using nmap) to identify unexpected open ports • Implement rate limiting to slow down external port scans • Use intrusion detection systems (IDS) to alert on scanning activity • Consider port knocking for sensitive services like SSH Service Hardening: • Change default ports for sensitive services (move SSH from 22 to a non-standard port) • Disable unused protocol versions (disable SSLv3, TLS 1.0, TLS 1.1) • Keep services updated to patch known vulnerabilities • Use fail2ban or similar tools to block brute-force attempts Monitoring: • Monitor for new listening ports that appear unexpectedly (could indicate compromise) • Track connection patterns for anomalies • Set up alerts for connections to known malicious ports • Maintain a documented list of all authorized open ports and their purposes