Port numbers corresponding to common services in Linux

1. Port numbers corresponding to common services

Port: 0

Service: Reserved

Description: Usually used to analyze the operating system. This method works because "0" is an invalid port in some systems, and it will produce different results when you try to connect to it using the usual closed port. A typical scan uses an IP address of 0.0.0.0, sets the ACK bit and broadcasts it at the Ethernet layer.

Port: 1

Service: tcpmux

Explanation: This shows that someone is looking for SGI

Port: 7

Service: Echo

Note: I can see the information sent to XXX0 and XXX255 when many people search for Fraggle amplifiers.

Port: 19

Service: Character

Generator

Note: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP is connected, a data stream containing garbage characters will be sent until the connection is closed. HACKER uses IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers.

Port: 20 (data port) 21 (control port)

Service: FTP

Description: The port opened by the FTP server is used for uploading and downloading. The most common attackers are used to find a way to open anonymous FTP servers. These servers have readable and writable directories.

Port: 22

Service: ssh

Note: The connection between TCP and this port established by PcAnywhere may be to find ssh. This service has many weaknesses. If it is configured in a specific mode, many versions that use the RSAREF library will have many vulnerabilities.

Port: 23

Service: Telnet

Description: Remote login, the intruder is searching for services that remotely log in to UNIX. In most cases, scanning this port is to find the operating system running on the machine. There are other techniques where the intruder will also find the password.

Port: 25

Service: SMTP

Description: The port opened by the SMTP server for sending mail. The intruder looks for the SMTP server in order to deliver their SPAM. The account of the intruder is closed, and they need to connect to the high-bandwidth E-MAIL server to deliver simple information to different addresses.

Port: 42

Service: WINS

Replication

Description: WINS replication

Port: 53

Service: Domain Name

Server（DNS）

Note: The port opened by the DNS server, the intruder may be trying to perform zone transfer (TCP), spoofing DNS (UDP) or hiding other communications. Therefore, firewalls often filter or record this port.

Port: 67

Service: Bootstrap

Protocol Server

Description: Via DSL and Cable

The firewall of the modem often sees a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. HACKER often enters them, assigns an address and uses itself as a local router to launch a large number of man-in-middle attacks. The client broadcasts the configuration request to port 68, and the server broadcasts the response request to port 67. This response uses broadcast because the client does not yet know the IP address that can be sent.

DHCP (UDP ports 67 and 68)

Port: 80

Service: HTTP

Description: Used for web browsing. Trojan Executor opens this port.

Port: 88

Description: Kerberos

krb5. In addition, TCP port 88 is also used for this purpose.

Port: 110

Service: All ports of Sun's RPC service

Note: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.

Port: 113

Service: Authentication

Service

Description: This is a protocol that runs on many computers and is used to identify users of TCP connections. Use standard such services to obtain information from many computers. But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually if many clients access these services through the firewall, they will see many connection requests for this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support sending back RST during the blocking process of TCP connections. This will stop the slow connection.

Port: 119

Service: Network

News Transfer

Protocol

Description: NEWS newsgroup transmission protocol, carrying USENET communication. The connection to this port is usually people looking for a USENET server. Most ISPs restrict that only their customers can access their news server. Opening the newsgroup server will allow posting/reading anyone’s posts, accessing restricted newsgroup servers, anonymous posting or sending SPAM.

Port: 135

Service: Location

Service

Note: Microsoft runs DCE RPC end-point mapper on this port for its DCOM service. This is very similar to the function of the UNIX 111 port. Services that use DCOM and RPC use the end-point mapper on the computer to register their location. When remote clients connect to the computer, they look up the end-point mapper to find the location of the service. Is HACKER scanning this port of the computer to find out which Exchange Server is running on this computer? What version? Some DOS attacks directly target this port.

Ports: 137, 138, 139

Service: NETBIOS Name Service

Note: 137 and 138 are UDP ports, which are used when transferring files through network neighbors. The connection entered through this port on port 139 tries to obtain NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. And WINS Regisrtation also uses it.

Port: 143

Service: Interim Mail Access Protocol

v2

Note: Like POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (admv0rm) will multiply through this port, so many scans of this port come from unknowingly infected users. When REDHAT allowed IMAP by default in their LINUX release, these vulnerabilities became popular. This port is also used for IMAP2, but it is not popular.

Port: 161

Service: SNMP

Note: SNMP allows remote management of devices. All configuration and operation information are stored in the database, which can be obtained through SNMP. Many administrators' misconfigurations will be exposed to the Internet. Cackers will try to use the default password public and private to access the system. They may experiment with all possible combinations. SNMP packets may be incorrectly directed to the user's network.

Port: 389

Services: LDAP, ILS

Description: Lightweight Directory Access Protocol and NetMeeting

Internet Locator

Server shares this port.

Port: 443

Service: Https

Description: The web browsing port can provide encryption and another type of HTTP transmitted through a secure port.

Port: 445

Description: Common Internet File

System (CIFS) (Common Internet File System)

Port: 464

Description: Kerberos

kpasswd(v5). In addition, TCP port 464 is also used for this purpose.

Port: 500

Description: Internet Key

Exchange (IKE) (Internet key exchange)

Port: 513

Service: Login, remote login

Description: from the use of cable

The modem or DSL logs in to the broadcast from the UNIX computer in the subnet. These people provide information for intruders to enter their systems.

Port: 548

Service: Macintosh, File

Services(AFP/IP)

Description: Macintosh, file service.

Port: 553

Service: CORBA IIOP

（UDP）

Description: Use cable

The modem, DSL or VLAN will see the broadcast on this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.

Port: 555

Service: DSF

Description: Trojans PhAse1.0, Stealth Spy, IniKiller open this port.

Port: 568

Service: Membership DPA

Description: Membership DPA.

Port: 569

Service: Membership MSN

Description: Membership MSN.

Port: 635

Service: mountd

Description: Linux mountd

Bug. This is a popular bug in scanning. Most scans on this port are based on UDP, but TCP-based mountd has increased (mountd runs on two ports at the same time). Remember that mountd can run on any port (which port it is, you need to do a portmap query on port 111), but the default port of Linux is 635, just like NFS usually runs on port 2049.

Port: 636

Service: LDAP

Description: SSL (Secure

Sockets layer）

Port: 666

Service: Doom Id Software

Description: Trojan Attack FTP, Satanz Backdoor open this port

Port: 993

Service: IMAP

Description: SSL (Secure Sockets layer)

Port: 1024

Service: Reserved

Explanation: It is the beginning of dynamic ports. Many programs don't care which port is used to connect to the network. They request the system to allocate the next free port for them. Based on this, the allocation starts from port 1024. This means that the first request to the system will be allocated to port 1024. You can restart the machine, open Telnet, and then open a window and run natstat -a. You will see Telnet is assigned port 1024. SQL session also uses this port and port 5000.

Port: 1080

Service: SOCKS

Description: This protocol passes through the firewall in a tunnel mode, allowing people behind the firewall to access the Internet through an IP address. In theory, it should only allow internal communications to reach the INTERNET. But due to incorrect configuration, it will allow attacks located outside the firewall to pass through the firewall. This error often occurs in WinGate, and it is often seen when joining an IRC chat room.

Port: 1433

Service: SQL

Description: The port opened by Microsoft's SQL service.

Port: 1492

Service: stone-design-1

Description: Trojan FTP99CMP opens this port.

Port: 1500

Service: RPC

client fixed port session

queries

Description: RPC client fixed port session query

Port: 1524

Service: ingress

Description: Many attack scripts will install a backdoor SHELL on this port, especially scripts targeting Sendmail and RPC service vulnerabilities in the SUN system. If you see a connection attempt on this port as soon as the firewall is installed, it may be the reason above. You can try Telnet to this port on the user's computer to see if it will give you a SHELL. This problem also exists when connecting to 600/pcserver.

Port: 1600

Service: issd

Description: Trojan Shivka-Burka opens this port.

Port: 1645, 1812

Description: Remot Authentication

Dial-In User Service (RADIUS) authentication (Routing and Remote Access)

Port: 1646, 1813

说明：RADIUS accounting(Routing and

Remote Access) (RADIUS accounting (routing and remote access))

Port: 1701

说明：Layer Two Tunneling

Protocol (L2TP) (Layer 2 Tunneling Protocol)

Port: 1731

Service: NetMeeting Audio Call Control

Description: NetMeeting audio call control.

Ports: 1801, 3527

Description: Microsoft Message Queue

Server (Microsoft Message Queuing Server). There are also TCP 135, 1801, 2101, 2103, and 2105 for the same purpose.

Port: 2049

Service: NFS

Note: NFS programs often run on this port. Usually you need to visit Portmapper to query which port the service is running on.

Port: 2500

服务：RPC client using a fixed port session

replication

Description: RPC clients applying fixed port session replication

Port: 2504

Description: Network Load Balancing (Network Load Balancing)

Port: 3128

Service: squid

Description: This is squid

The default port of the HTTP proxy server. The attacker scans this port to search for a proxy server and access the Internet anonymously. You will also see ports 8000, 8001, 8080, 8888 searching for other proxy servers. Another reason for scanning this port is that the user is entering the chat room. Other users will also check this port to determine whether the user's machine supports the proxy.

Port: 3333

Service: dec-notes

Description: Trojan Prosiak opens this port

Port: 3389

Service: HyperTerminal

Note: WINDOWS 2000 terminal opens this port.

Port: 4000

Service: QQ client

Note: Tencent QQ client opens this port.

Port: 5632

Service: pcAnywere

Note: Sometimes you will see a lot of scans of this port, depending on the location of the user. When the user opens pcAnywere, it will automatically scan the LAN class C network to find possible agents (the agent here refers to agent instead of proxy). Intruders will also look for computers that open up such services. , So you should check the source address of this scan. Some scanning packets that search for pcAnywere often contain port 22 UDP packets.

Port: 6970

Service: RealAudio

Note: RealAudio clients will receive audio data streams from the UDP port 6970-7170 of the server. This is set by the TCP-7070 port outbound control connection.

Port: 8000

Service: OICQ

Note: Tencent QQ server opens this port.

Port: 8010

Service: Wingate

Note: Wingate proxy opens this port.

Port: 8080

Service: proxy port

Note: The WWW proxy opens this port.

Port: 13223

Service: PowWow

Description: PowWow is Tribal

Voice chat program. It allows users to open private chat connections on this port. This procedure is very offensive for establishing a connection. It will reside on this TCP port and wait for a response. Cause a connection request similar to the heartbeat interval. If a dial-up user inherits an IP address from another chatter, it will happen that there are many different people testing the port. This protocol uses OPNG as the first 4 bytes of its connection request.

Port: 17027

Service: Conducent

Description: This is an outgoing connection. This is because someone inside the company installed shareware with Conducent "adbot". Conducent "adbot" is a service for displaying advertisements for shareware. A popular software that uses this service is Pkware.