Open Port Finding Messages: Typical Services Ingrid A typical service Open Port findings is the most likely service to be running on a specific port number. We use many resources, to determine the typical service running on a port, including the IANA Service Name and Transport Protocol Port Number Registry. GOOD NEUTRAL BAD GOOD Typical service: HTTPS This port is typically used for Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic. Ports: 443 8443 Typical service: IMAPS This port is typically used for Internet Message Access Protocol Secure (IMAPS), which is used for securing IMAP. Port: 993 Typical service: IPSec NAT traversal This port is typically used for IPSec, which is used for securing IP communications. Port: 4500 Typical service: POP3S This port is typically used for Post Office Protocol version 3 secure (POP3S), which is used for securing POP3. Port: 995 Typical service: SMTPS This port is typically used for Simple Mail Transfer Protocol Secure (SMTPS), which is used for securing SMTP. Port: 465 Typical service: SSH This port is typically used for Secure Shell (SSH), which is used for sending and receiving secure communication. Port: 22 Typical service: telnet over TLS/SSL This port is typically used for Telnet over Transport Layer Security (TLS)/Secure Sockets Layer (SSL), which is used for securing Telnet. Port: 992 NEUTRALNeutral-graded records don't impact Security Ratings. In some cases, remediation is provided if it benefits an organization to do so. However, remediating Neutral-graded records will not improve security ratings. Typical service: Active Directory This port is typically used for Active Directory, which is a directory service for Windows domain networks. Port: 445 Typical service: AMQP This port is typically used for the Advanced Messaging Queuing Protocol (AMQP), which is used for sending messages between distributed systems. Port: 5672 Remediation Tips: Configure your AQMP servers to implement AQMP over Transport Layer Security (TLS). Typical service: ASF-RMCP This port is typically used for Alert Standard Format-Remote Management and Control Protocol (ASF-RMCP), which can be used to obtain password hash information. Port: 623 Remediation Tips: Implement ASF Secure RMCP (port 664). Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: BACNet This port is typically used for Building Automation and Control Networks (BACNet), which is a communications protocol for building automation. These devices should not be exposed to the Internet. Port: 47808 Remediation Tips: Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review. Typical service: Bandwidth Test This port is typically used for the Bandwidth Test service, which is used to measure packet throughput on certain network routers. Port: 2000 Typical service: Bittorrent Tracker This port is typically used for BitTorrent Tracker, which is used to help BitTorrent clients find each other and share files. File sharing is a known vector for malware to enter otherwise secure systems. Port: 69 Remediation Tips: If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure. Typical service: Bootstrap protocol This port is typically used for the Bootstrap protocol, which is used to automatically assign IP addresses to devices on a network. Port: 67 Typical service: chargen This port is typically used for Chargen, which returns arbitrary characters until the connection is closed. This protocol has known design flaws and is commonly used in Distributed Denial of Service (DDoS) attacks. This protocol should not be exposed to the Internet. Port: 19 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: CouchDB This port is typically used for CouchDB, which is a document-oriented NoSQL database. Port: 5984 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of exposing the database server to the Internet. Typical service: cPanel This port is typically used for cPanel, which is a web hosting control panel. Ports: 2082 2083 Typical service: cPanel Web Host Manager This port is typically used for cPanel, which is a web hosting control panel. Ports: 2086 2087 Typical service: daytime This port is typically used for the Daytime protocol (RFC-867), which returns the current date and time. It can be used for “pingpong” attacks. This protocol should not be exposed to the Internet. If the time is incorrect, it can be exploited by attackers to break secure connections and encryption certificates. The Daytime daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly. Port: 13 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Ensure that all affected machines have the NTP package up-to-date (4.2.8p4 or higher) and ensure any NTP clients do not run with the -g option. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients. Typical service: DHT This port was observed running a Distributed Hash Table (DHT), which is used to help BitTorrent nodes find each other and connect peers for file sharing. Port: 6881 Typical service: Dictionary service This port is typically used for the Dictionary network protocol, which returns dictionary definitions of words. It can be used maliciously for Distributed Denial of Service (DDoS) attacks. Port: 2628 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Typical service: DNS This port is typically used for Domain Name System (DNS), which is necessary for accessing websites. Port: 53 Typical service: echo This port is typically used for the Echo protocol, which measures the round trip times in networks. This protocol should not be exposed to the Internet. It is superseded by the Internet Control Message Protocol (ICMP) and the Ping Software Utility. Port: 7 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: Erlang Port Mapper Daemon This port is typically used for Erlang Port Mapper Daemon, which facilitates communications between Erlang nodes. Port: 4369 Typical service: EtherNet/IP This port is typically used for EtherNet/IP, which in an industrial Ethernet network. It has known vulnerabilities. These devices should not be exposed to the Internet. Port: 44818 Remediation Tips: Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review. Typical service: ETL service manager This port is typically used for the Extract, Transform, Load (ETL) Service Manager. Port: 9001 Typical service: Finger protocol This port is typically used for the Finger protocol, which returns status reports about systems or users and can be used to gather information for social engineering attacks. This protocol should not be exposed to the Internet. Port: 79 Remediation Tips: Replace the use of Finger systems with secure, encrypted personnel/employee information systems or databases. Disable public internet access to the machines and networks in question. Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: Flux-led This port is typically used for Flux LED internet-connected light bulbs. Internet-of-Things (IoT) devices may leak sensitive information such as wireless network passwords or lead to other compromises. Port: 5577 Remediation Tips: Block this port in the company edge network infrastructure. Typical service: FTP This port is typically used for File Transfer Protocol (FTP), which is used to transfer files over a network. Port: 21 Typical service: GPRS Tunneling Protocol This port is typically used for the General Packet Radio Service (GPRS) Tunneling protocol, which is used to carry general packet radio services. Port: 2123 Typical service: HTTP This port is typically used for Hypertext Transfer Protocol (HTTP), which is used for sending and receiving internet traffic. Ports: 80 81 82 8080 Typical service: IBM NJE This port is typically used for IBM Network Job Entry (NJE), which is used to send work to machines over a network. Port: 175 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Typical service: IEC 60870-5-104 This port is typically used for International Electrotechnical Commission (IEC) 60870-5-104, which enables communication between control stations and substations via a Transmission Control Protocol (TCP)/Internet Protocol (IP) network. It can be used maliciously for man-in-the-middle (MITM) attacks. Port: 2404 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Typical service: IMAP This port is typically used for Internet Message Access Protocol (IMAP), which is a commonly used mail protocol. Port: 143 Remediation Tips: Configure your mail server software to use STARTTLS for IMAP and Post Office Protocol version 3 (POP3) as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission. Typical service: Internet Printing Protocol This port is typically used for the Internet Printing Protocol (IPP), which allows for remote printing. This protocol has known vulnerabilities. Port: 631 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Typical service: IRC This port is typically used for Internet Relay Chat (IRC), which is a chat protocol. Port: 6666 Typical service: ISAKMP This port is typically used for Internet Security Association and Key Management Protocol (ISAKMP), which is used for establishing Security Associations and cryptographic keys. Port: 500 Typical service: ISO-TSAP This port is typically used for ISO-Transport Services Access Point (ISO-TSAP), which does not encrypt traffic. This protocol should not be exposed to the Internet. Port: 102 Remediation Tips: Disable public internet access to the machines and networks in question. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Alternately, build a communications server that can respond to queries. Typical service: Java RMI This port is typically used for Java Remote Method Invocation (RMI) or a Java RMI Server, which is the equivalent of Remote Procedure Calls (RPC) for the Java language. The default configuration of Java RMI servers allow loading classes from any remote Hypertext Transfer Protocol (HTTP) URL, which is considered insecure. Port: 1099 Remediation Tips: Implement Java RMI over Transport Layer Security (TLS)/Secure Sockets Layer (SSL). Typical service: Kerberos This port is typically used for the Kerberos protocol, which is used for secure authentication. Port: 88 Typical service: LDAP This port is typically used for Lightweight Directory Access Protocol (LDAP), which is used to maintain directory information service and can be used to gather information about a company's network infrastructure. Port: 389 Remediation Tips: Cease use of the unencrypted LDAP protocol. Instead, use LDAP over TLS/SSL (LDAPS). See implementation guides for Microsoft servers and OpenLDAP. Typical service: LDAPS This port is running an Lightweight Directory Access Protocol (LDAP) server. This can be exploited to harvest directory information. Port: 636 Remediation Tips: Block the LDAPS port in the company edge network infrastructure. Typical service: line printer daemon This port is typically used for line printer daemon, which is a protocol for submitting print jobs to remote printers. This service should not be exposed to the Internet. Port: 515 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Typical service: memcached This port is typically used for Memcached, which is a memory caching system. It has known security vulnerabilities. Port: 11211 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Typical service: Modbus This port is typically used for Modbus, which is a protocol used for communication between devices on the same network. It does not provide security against unauthorized commands or interception of data. Port: 502 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: MS SSDP This port is typically used for Microsoft Simple Service Discovery Protocol (SSDP), which is a network protocol for the advertisement and discovery of network services and presence information. It can be used maliciously for Distributed Denial of Service (DDoS) attacks. Port: 1900 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Typical service: MS SSDP/UPnP This port was observed running Universal Plug and Play (UPnP), which allows devices on your home network to discover each other and may be vulnerable to certain attacks. Remediation Tips: Ensure UPnP port forwarding is properly configured and is set to “Off.” Typical service: MySQL This port is typically used for MySQL, which is an open source Structured Query Language (SQL) database. It has many known security vulnerabilities. Port: 3306 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Implement strong passwords and either strong password handling protocols or a key authentication system. Typical service: MS SQL Server This port is typically used for Microsoft Structured Query Language (SQL) Server, which has many known vulnerabilities. Port: 1433 & 1434 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Typical service: Mumble VOIP This port is typically used for Mumble, which is an encrypted voice-over-IP (VoIP) application. Port: 64738 Typical service: Munin Graphing Framework This port is typically used for the Munin Graphing framework, which monitors networks and issues alerts. Port: 4949 Typical service: Nessus This port is typically used for Nessus, which is a vulnerability scanner. Port: 8834 Typical service: NetBIOS This port is typically used for Network Basic Input/Output System (NetBIOS), which allows applications on different computers to communicate over a Local Area Network (LAN). It has known security vulnerabilities and is a common attack target. Port: 137 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system. Typical service: netstat This port is typically used for Netstat, which is a deprecated tool used to monitor network performance. Port: 15 Remediation Tips: Block the port in the company edge network infrastructure and uninstall Netstat from the machine in question. Netstat is superseded by ss. Typical service: NDMP This port is typically used for Network Data Management Protocol (NDMP), which transports data between network attached storage devices and backup devices. It does not encrypt traffic. These devices should not be exposed to the Internet. Port: 10000 Remediation Tips: Use a protocol or method of encrypted data transport between devices; such as tunneled Secure Shell (SSH), Virtual Private Network (VPN) connections, or SSH File Transfer Protocol (SFTP). Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Typical service: NNTP This port is typically used for Network News Transfer Protocol (NNTP), which is used to transport Usenet articles and has known vulnerabilities. Port: 119 Remediation Tips: Use Transport Layer Security (TLS) via NNTP over STARTTLS for improved security, as specified in RFC-4642. Typical service: NTP This port is typically used for Network Time Protocol (NTP), which is used for clock synchronization. Port: 123 Typical service: ONC RPC This port is typically used for Open Network Computing (ONC) Remote Procedure Call (RPC), which allows programmers to execute code on remote machines. Port: 111 Remediation Tips: Establish a server on the remote machine that can respond to queries. Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: Oracle SQL web This port is typically used for Oracle Structured Query Language (SQL), which has many known security vulnerabilities. Port: 5560 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Typical service: pcAnywhere This port is typically used for pcAnywhere, which allows a user to connect to another computer over a network connection. It has known vulnerabilities and is no longer supported. Port: 5632 Remediation Tips: Symantec recommends users disable PC Anywhere and use Bomgar as the replacement. Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Typical service: POP This port is typically used for Post Office Protocol (POP), which is a commonly used mail protocol. Port: 110 Typical service: PostgreSQL This port is typically used for PostgreSQL, which is an object-relational database management system. It has known security vulnerabilities. Port: 5432 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Typical service: PPTP This port is typically used for the Point-to-Point Tunneling Protocol (PPTP), which is a method for implementing Virtual Private Networks (VPN). Port: 1723 Typical service: printer PDL This port is typically used for Printer Page Description Language (PDL), which communicates the layout of a page for printing. This service should not be exposed to the Internet. Port: 9100 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Typical service: quote of the day This port is typically used for Quote of the Day, which returns a short message to the user. It can be used for “pingpong” attacks. This protocol should not be exposed to the Internet. Port: 17 Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. Typical service: Redis This port is typically used for Redis, which is a data structure server and should not be accessible from the Internet. Port: 6379 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Typical service: RSYNC This port is typically used for RSYNC, which is software designed to keep copies of files synchronized on the same or across multiple computers. This service should not be exposed to the Internet. Port: 873 Remediation Tips: Use RSYNC with Secure Shell (SSH) or RSYNC through a secure Virtual Private Network (VPN). Block the port in the company edge network infrastructure. Typical service: RTSP This port is typically used for the Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers. Port: 554 Typical service: SCADA This port is typically used for Supervisory Control and Data Acquisition (SCADA) systems and shouldn't be exposed to the Internet. Port: 20000 Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Typical service: SIP This port is typically used for Session Initiation Protocol (SIP), which is a widely-used communication protocol. Port: 5060 Typical service: SMB This port is typically used for Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines. Port: 445 Typical service: SMTP This port is typically used for Simple Mail Transfer Protocol (SMTP), which is a commonly used mail protocol. Port: 25 Typical service: SMTP submission This port is typically used for Simple Mail Transfer Protocol (SMTP) submission, which specifically supports authentication to Mail Transfer Agents (MTA). Port: 587 Typical service: SNMP This port is typically used for Simple Network Management Protocol (SNMP), which is a protocol for managing devices on IP networks. It has known security vulnerabilities. Port: 161 Remediation Tips: Use SNMP over TLS or Datagram TLS, as specified in RFC-5953; implementation is described here. Cease use of the unencrypted SNMP protocol. Detected service: SNMP (Secure V3) A later, secure version of the Simple Network Management Protocol (SNMP) is being used – SNMPv3 – and the response has authPriv and AES encryption. Typical service: SNPP This port is typically used for Simple Network Paging Protocol (SNPP), which allows pagers to receive messages over the Internet. Port: 444 Typical service: systat This port is typically used for Systat, which returns a list of users logged into the system and is typically considered a security vulnerability. Port: 11 Remediation Tips: If its use is not legitimate, block the port in the company edge network infrastructure and block Systat on the machine in question. Typical service: TACACS This port is typically used by a Terminal Access Controller Access-Control System (TACACS), which is used for remote authentication and access control through a central server. Port: 49 Remediation Tips: Block the port in the company edge network infrastructure. If remote access is required, consider using a secure Virtual Private Network (VPN) to access local resources. Typical service: telnet This port is typically used for Telnet, a communication protocol that does not encrypt traffic and has known security vulnerabilities. Port: 23 Remediation Tips: Block the port on company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Replace any operational uses of Telnet with Secure Shell (SSH) connections. Typical service: TIME protocol This port is typically used for the Time protocol (RFC-868), which returns the current date and time. This protocol has known security vulnerabilities. If the time is incorrect, it can be exploited by attackers to break secure connections and encryption certificates. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly. Port: 37 Remediation Tips: Block the port in the company edge network infrastructure and disable the Time protocol on the machine that's attempting to utilize it. We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients. Typical service: TR-069 CWMP This port is typically used for Technical Report 069 (TR-069) CPE WAN Management Protocol (CWMP), which is a protocol for remote management of end-user devices. Port: 7547 Typical service: UPnP This port is typically used for the Universal Plug-n-Play features (UPnP) protocol, which allows devices to discover each other's presence over a network. It does not implement authentication by default. Port: 5000 Remediation Tips: Disable UPnP access on all network routers and UPnP-enabled switches and hardware. If port forwarding is required, implement it manually. Typical service: Ventrilo This port is typically used for Ventrilo, which is a voice-over-IP (VoIP) and text chat software. Port: 3784 Typical service: VNC This port is typically used for Virtual Network Computing (VNC) system, which is a graphical desktop sharing system. It is not a secure protocol. Ports: 5900 5901 Remediation Tips: Block the port in the company edge network infrastructure. Tunnel any VNC connections through a secure Virtual Private Network (VPN) or Secure Shell (SSH) connection. Typical service: WS-Management This port is typically used for Web Services-Management (WS-Management), which is a Simple Object Access Protocol (SOAP)-based protocol for managing devices and web services. Ports: 5985 5986 Typical service: XMPP This port is typically used for Extensible Messaging and Presence Protocol (XMPP), which is an instant messaging protocol. Port: 5222 ⇪ Back to DirectoryBAD Typical service: MS RDP This port is typically used for the Microsoft Remote Desktop Protocol (MS RDP), which allows a user to connect to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks. Port: 3389 Remediation Tips: Discontinue use of the RDP and use alternative remote access tools via secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. June 13, 2025: Typical service: MS SQL Server includes port 1433. March 20, 2025: Separated Open Port finding messages. Related articles Open Port Finding Messages: Detected Services Finding Behavior Remediation Verification: DKIM Records How is the Open Ports Risk Vector Assessed? TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.