Open Port Finding Messages: Typical Services – Bitsight Knowledge Base

A typical service Open Port findings is the most likely service to be running on a specific port number. We use many resources, to determine the typical service running on a port, including the IANA Service Name and Transport Protocol Port Number Registry.

GOOD
NEUTRAL
BAD

GOOD

Typical service: HTTPS

This port is typically used for Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.

Ports:

443
8443

Typical service: IMAPS

This port is typically used for Internet Message Access Protocol Secure (IMAPS), which is used for securing IMAP.

Port: 993

Typical service: IPSec NAT traversal

This port is typically used for IPSec, which is used for securing IP communications.

Port: 4500

Typical service: POP3S

This port is typically used for Post Office Protocol version 3 secure (POP3S), which is used for securing POP3.

Port: 995

Typical service: SMTPS

This port is typically used for Simple Mail Transfer Protocol Secure (SMTPS), which is used for securing SMTP.

Port: 465

Typical service: SSH

This port is typically used for Secure Shell (SSH), which is used for sending and receiving secure communication.

Port: 22

Typical service: telnet over TLS/SSL

This port is typically used for Telnet over Transport Layer Security (TLS)/Secure Sockets Layer (SSL), which is used for securing Telnet.

Port: 992

NEUTRAL

Neutral-graded records don't impact Security Ratings. In some cases, remediation is provided if it benefits an organization to do so. However, remediating Neutral-graded records will not improve security ratings.

Typical service: Active Directory

This port is typically used for Active Directory, which is a directory service for Windows domain networks.

Port: 445

Typical service: AMQP

This port is typically used for the Advanced Messaging Queuing Protocol (AMQP), which is used for sending messages between distributed systems.

Port: 5672

Remediation Tips: Configure your AQMP servers to implement AQMP over Transport Layer Security (TLS).

Typical service: ASF-RMCP

This port is typically used for Alert Standard Format-Remote Management and Control Protocol (ASF-RMCP), which can be used to obtain password hash information.

Port: 623

Remediation Tips: Implement ASF Secure RMCP (port 664). Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: BACNet

This port is typically used for Building Automation and Control Networks (BACNet), which is a communications protocol for building automation. These devices should not be exposed to the Internet.

Port: 47808

Remediation Tips: Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review.

Typical service: Bandwidth Test

This port is typically used for the Bandwidth Test service, which is used to measure packet throughput on certain network routers.

Port: 2000

Typical service: Bittorrent Tracker

This port is typically used for BitTorrent Tracker, which is used to help BitTorrent clients find each other and share files. File sharing is a known vector for malware to enter otherwise secure systems.

Port: 69

Remediation Tips: If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure.

Typical service: Bootstrap protocol

This port is typically used for the Bootstrap protocol, which is used to automatically assign IP addresses to devices on a network.

Port: 67

Typical service: chargen

This port is typically used for Chargen, which returns arbitrary characters until the connection is closed. This protocol has known design flaws and is commonly used in Distributed Denial of Service (DDoS) attacks. This protocol should not be exposed to the Internet.

Port: 19

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: CouchDB

This port is typically used for CouchDB, which is a document-oriented NoSQL database.

Port: 5984

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of exposing the database server to the Internet.

Typical service: cPanel

This port is typically used for cPanel, which is a web hosting control panel.

Ports:

2082
2083

Typical service: cPanel Web Host Manager

This port is typically used for cPanel, which is a web hosting control panel.

Ports:

2086
2087

Typical service: daytime

This port is typically used for the Daytime protocol (RFC-867), which returns the current date and time. It can be used for “pingpong” attacks. This protocol should not be exposed to the Internet. If the time is incorrect, it can be exploited by attackers to break secure connections and encryption certificates. The Daytime daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly.

Port: 13

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Ensure that all affected machines have the NTP package up-to-date (4.2.8p4 or higher) and ensure any NTP clients do not run with the -g option. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients.

Typical service: DHT

This port was observed running a Distributed Hash Table (DHT), which is used to help BitTorrent nodes find each other and connect peers for file sharing.

Port: 6881

Typical service: Dictionary service

This port is typically used for the Dictionary network protocol, which returns dictionary definitions of words. It can be used maliciously for Distributed Denial of Service (DDoS) attacks.

Port: 2628

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Typical service: DNS

This port is typically used for Domain Name System (DNS), which is necessary for accessing websites.

Port: 53

Typical service: echo

This port is typically used for the Echo protocol, which measures the round trip times in networks. This protocol should not be exposed to the Internet. It is superseded by the Internet Control Message Protocol (ICMP) and the Ping Software Utility.

Port: 7

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: Erlang Port Mapper Daemon

This port is typically used for Erlang Port Mapper Daemon, which facilitates communications between Erlang nodes.

Port: 4369

Typical service: EtherNet/IP

This port is typically used for EtherNet/IP, which in an industrial Ethernet network. It has known vulnerabilities. These devices should not be exposed to the Internet.

Port: 44818

Typical service: ETL service manager

This port is typically used for the Extract, Transform, Load (ETL) Service Manager.

Port: 9001

Typical service: Finger protocol

This port is typically used for the Finger protocol, which returns status reports about systems or users and can be used to gather information for social engineering attacks. This protocol should not be exposed to the Internet.

Port: 79

Remediation Tips: Replace the use of Finger systems with secure, encrypted personnel/employee information systems or databases. Disable public internet access to the machines and networks in question. Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: Flux-led

This port is typically used for Flux LED internet-connected light bulbs. Internet-of-Things (IoT) devices may leak sensitive information such as wireless network passwords or lead to other compromises.

Port: 5577

Remediation Tips: Block this port in the company edge network infrastructure.

Typical service: FTP

This port is typically used for File Transfer Protocol (FTP), which is used to transfer files over a network.

Port: 21

Typical service: GPRS Tunneling Protocol

This port is typically used for the General Packet Radio Service (GPRS) Tunneling protocol, which is used to carry general packet radio services.

Port: 2123

Typical service: HTTP

This port is typically used for Hypertext Transfer Protocol (HTTP), which is used for sending and receiving internet traffic.

Ports:

80
81
82
8080

Typical service: IBM NJE

This port is typically used for IBM Network Job Entry (NJE), which is used to send work to machines over a network.

Port: 175

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources.

Typical service: IEC 60870-5-104

This port is typically used for International Electrotechnical Commission (IEC) 60870-5-104, which enables communication between control stations and substations via a Transmission Control Protocol (TCP)/Internet Protocol (IP) network. It can be used maliciously for man-in-the-middle (MITM) attacks.

Port: 2404

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

Typical service: IMAP

This port is typically used for Internet Message Access Protocol (IMAP), which is a commonly used mail protocol.

Port: 143

Remediation Tips: Configure your mail server software to use STARTTLS for IMAP and Post Office Protocol version 3 (POP3) as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission.

Typical service: Internet Printing Protocol

This port is typically used for the Internet Printing Protocol (IPP), which allows for remote printing. This protocol has known vulnerabilities.

Port: 631

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

Typical service: IRC

This port is typically used for Internet Relay Chat (IRC), which is a chat protocol.

Port: 6666

Typical service: ISAKMP

This port is typically used for Internet Security Association and Key Management Protocol (ISAKMP), which is used for establishing Security Associations and cryptographic keys.

Port: 500

Typical service: ISO-TSAP

This port is typically used for ISO-Transport Services Access Point (ISO-TSAP), which does not encrypt traffic. This protocol should not be exposed to the Internet.

Port: 102

Remediation Tips: Disable public internet access to the machines and networks in question. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Alternately, build a communications server that can respond to queries.

Typical service: Java RMI

This port is typically used for Java Remote Method Invocation (RMI) or a Java RMI Server, which is the equivalent of Remote Procedure Calls (RPC) for the Java language. The default configuration of Java RMI servers allow loading classes from any remote Hypertext Transfer Protocol (HTTP) URL, which is considered insecure.

Port: 1099

Remediation Tips: Implement Java RMI over Transport Layer Security (TLS)/Secure Sockets Layer (SSL).

Typical service: Kerberos

This port is typically used for the Kerberos protocol, which is used for secure authentication.

Port: 88

Typical service: LDAP

This port is typically used for Lightweight Directory Access Protocol (LDAP), which is used to maintain directory information service and can be used to gather information about a company's network infrastructure.

Port: 389

Remediation Tips: Cease use of the unencrypted LDAP protocol. Instead, use LDAP over TLS/SSL (LDAPS). See implementation guides for Microsoft servers and OpenLDAP.

Typical service: LDAPS

This port is running an Lightweight Directory Access Protocol (LDAP) server. This can be exploited to harvest directory information.

Port: 636

Remediation Tips: Block the LDAPS port in the company edge network infrastructure.

Typical service: line printer daemon

This port is typically used for line printer daemon, which is a protocol for submitting print jobs to remote printers. This service should not be exposed to the Internet.

Port: 515

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

Typical service: memcached

This port is typically used for Memcached, which is a memory caching system. It has known security vulnerabilities.

Port: 11211

Typical service: Modbus

This port is typically used for Modbus, which is a protocol used for communication between devices on the same network. It does not provide security against unauthorized commands or interception of data.

Port: 502

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: MS SSDP

This port is typically used for Microsoft Simple Service Discovery Protocol (SSDP), which is a network protocol for the advertisement and discovery of network services and presence information. It can be used maliciously for Distributed Denial of Service (DDoS) attacks.

Port: 1900

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Typical service: MS SSDP/UPnP

This port was observed running Universal Plug and Play (UPnP), which allows devices on your home network to discover each other and may be vulnerable to certain attacks.

Remediation Tips: Ensure UPnP port forwarding is properly configured and is set to “Off.”

Typical service: MySQL

This port is typically used for MySQL, which is an open source Structured Query Language (SQL) database. It has many known security vulnerabilities.

Port: 3306

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Implement strong passwords and either strong password handling protocols or a key authentication system.

Typical service: MS SQL Server

This port is typically used for Microsoft Structured Query Language (SQL) Server, which has many known vulnerabilities.

Port: 1434

Typical service: Mumble VOIP

This port is typically used for Mumble, which is an encrypted voice-over-IP (VoIP) application.

Port: 64738

Typical service: Munin Graphing Framework

This port is typically used for the Munin Graphing framework, which monitors networks and issues alerts.

Port: 4949

Typical service: Nessus

This port is typically used for Nessus, which is a vulnerability scanner.

Port: 8834

Typical service: NetBIOS

This port is typically used for Network Basic Input/Output System (NetBIOS), which allows applications on different computers to communicate over a Local Area Network (LAN). It has known security vulnerabilities and is a common attack target.

Port: 137

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system.

Typical service: netstat

This port is typically used for Netstat, which is a deprecated tool used to monitor network performance.

Port: 15

Remediation Tips: Block the port in the company edge network infrastructure and uninstall Netstat from the machine in question. Netstat is superseded by ss.

Typical service: NDMP

This port is typically used for Network Data Management Protocol (NDMP), which transports data between network attached storage devices and backup devices. It does not encrypt traffic. These devices should not be exposed to the Internet.

Port: 10000

Remediation Tips: Use a protocol or method of encrypted data transport between devices; such as tunneled Secure Shell (SSH), Virtual Private Network (VPN) connections, or SSH File Transfer Protocol (SFTP). Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Typical service: NNTP

This port is typically used for Network News Transfer Protocol (NNTP), which is used to transport Usenet articles and has known vulnerabilities.

Port: 119

Remediation Tips: Use Transport Layer Security (TLS) via NNTP over STARTTLS for improved security, as specified in RFC-4642.

Typical service: NTP

This port is typically used for Network Time Protocol (NTP), which is used for clock synchronization.

Port: 123

Typical service: ONC RPC

This port is typically used for Open Network Computing (ONC) Remote Procedure Call (RPC), which allows programmers to execute code on remote machines.

Port: 111

Remediation Tips: Establish a server on the remote machine that can respond to queries. Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: Oracle SQL web

This port is typically used for Oracle Structured Query Language (SQL), which has many known security vulnerabilities.

Port: 5560

Typical service: pcAnywhere

This port is typically used for pcAnywhere, which allows a user to connect to another computer over a network connection. It has known vulnerabilities and is no longer supported.

Port: 5632

Remediation Tips: Symantec recommends users disable PC Anywhere and use Bomgar as the replacement. Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Typical service: POP

This port is typically used for Post Office Protocol (POP), which is a commonly used mail protocol.

Port: 110

Typical service: PostgreSQL

This port is typically used for PostgreSQL, which is an object-relational database management system. It has known security vulnerabilities.

Port: 5432

Typical service: PPTP

This port is typically used for the Point-to-Point Tunneling Protocol (PPTP), which is a method for implementing Virtual Private Networks (VPN).

Port: 1723

Typical service: printer PDL

This port is typically used for Printer Page Description Language (PDL), which communicates the layout of a page for printing. This service should not be exposed to the Internet.

Port: 9100

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

Typical service: quote of the day

This port is typically used for Quote of the Day, which returns a short message to the user. It can be used for “pingpong” attacks. This protocol should not be exposed to the Internet.

Port: 17

Remediation Tips: Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself.

Typical service: Redis

This port is typically used for Redis, which is a data structure server and should not be accessible from the Internet.

Port: 6379

Typical service: RSYNC

This port is typically used for RSYNC, which is software designed to keep copies of files synchronized on the same or across multiple computers. This service should not be exposed to the Internet.

Port: 873

Remediation Tips: Use RSYNC with Secure Shell (SSH) or RSYNC through a secure Virtual Private Network (VPN). Block the port in the company edge network infrastructure.

Typical service: RTSP

This port is typically used for the Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers.

Port: 554

Typical service: SCADA

This port is typically used for Supervisory Control and Data Acquisition (SCADA) systems and shouldn't be exposed to the Internet.

Port: 20000

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Typical service: SIP

This port is typically used for Session Initiation Protocol (SIP), which is a widely-used communication protocol.

Port: 5060

Typical service: SMB

This port is typically used for Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines.

Port: 445

Typical service: SMTP

This port is typically used for Simple Mail Transfer Protocol (SMTP), which is a commonly used mail protocol.

Port: 25

Typical service: SMTP submission

This port is typically used for Simple Mail Transfer Protocol (SMTP) submission, which specifically supports authentication to Mail Transfer Agents (MTA).

Port: 587

Typical service: SNMP

This port is typically used for Simple Network Management Protocol (SNMP), which is a protocol for managing devices on IP networks. It has known security vulnerabilities.

Port: 161

Remediation Tips: Use SNMP over TLS or Datagram TLS, as specified in RFC-5953; implementation is described here. Cease use of the unencrypted SNMP protocol.

Detected service: SNMP (Secure V3)

A later, secure version of the Simple Network Management Protocol (SNMP) is being used – SNMPv3 – and the response has authPriv and AES encryption.

Typical service: SNPP

This port is typically used for Simple Network Paging Protocol (SNPP), which allows pagers to receive messages over the Internet.

Port: 444

Typical service: systat

This port is typically used for Systat, which returns a list of users logged into the system and is typically considered a security vulnerability.

Port: 11

Remediation Tips: If its use is not legitimate, block the port in the company edge network infrastructure and block Systat on the machine in question.

Typical service: TACACS

This port is typically used by a Terminal Access Controller Access-Control System (TACACS), which is used for remote authentication and access control through a central server.

Port: 49

Remediation Tips: Block the port in the company edge network infrastructure. If remote access is required, consider using a secure Virtual Private Network (VPN) to access local resources.

Typical service: telnet

This port is typically used for Telnet, a communication protocol that does not encrypt traffic and has known security vulnerabilities.

Port: 23

Remediation Tips: Block the port on company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Replace any operational uses of Telnet with Secure Shell (SSH) connections.

Typical service: TIME protocol

This port is typically used for the Time protocol (RFC-868), which returns the current date and time. This protocol has known security vulnerabilities. If the time is incorrect, it can be exploited by attackers to break secure connections and encryption certificates. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly.

Port: 37

Remediation Tips: Block the port in the company edge network infrastructure and disable the Time protocol on the machine that's attempting to utilize it. We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients.

Typical service: TR-069 CWMP

This port is typically used for Technical Report 069 (TR-069) CPE WAN Management Protocol (CWMP), which is a protocol for remote management of end-user devices.

Port: 7547

Typical service: UPnP

This port is typically used for the Universal Plug-n-Play features (UPnP) protocol, which allows devices to discover each other's presence over a network. It does not implement authentication by default.

Port: 5000

Remediation Tips: Disable UPnP access on all network routers and UPnP-enabled switches and hardware. If port forwarding is required, implement it manually.

Typical service: Ventrilo

This port is typically used for Ventrilo, which is a voice-over-IP (VoIP) and text chat software.

Port: 3784

Typical service: VNC

This port is typically used for Virtual Network Computing (VNC) system, which is a graphical desktop sharing system. It is not a secure protocol.

Ports:

5900
5901

Remediation Tips: Block the port in the company edge network infrastructure. Tunnel any VNC connections through a secure Virtual Private Network (VPN) or Secure Shell (SSH) connection.

Typical service: WS-Management

This port is typically used for Web Services-Management (WS-Management), which is a Simple Object Access Protocol (SOAP)-based protocol for managing devices and web services.

Ports:

5985
5986

Typical service: XMPP

This port is typically used for Extensible Messaging and Presence Protocol (XMPP), which is an instant messaging protocol.

Port: 5222

⇪ Back to Directory

BAD

Typical service: MS RDP

This port is typically used for the Microsoft Remote Desktop Protocol (MS RDP), which allows a user to connect to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks.

Port: 3389

Remediation Tips: Discontinue use of the RDP and use alternative remote access tools via secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

March 20, 2025: Separated Open Port finding messages.

GOOD

NEUTRAL

BAD

Related articles