Port numbers corresponding to common services in Linux
- 1. Port numbers corresponding to common services
-
- Port: 0
- Port: 1
- Port: 7
- Port: 19
- Port: 20 (data port) 21 (control port)
- Port: 22
- Port: 23
- Port: 25
- Port: 42
- Port: 53
- Port: 67
- Port: 80
- Port: 88
- Port: 110
- Port: 113
- Port: 119
- Port: 135
- Ports: 137, 138, 139
- Port: 143
- Port: 161
- Port: 389
- Port: 443
- Port: 445
- Port: 464
- Port: 500
- Port: 513
- Port: 548
- Port: 553
- Port: 555
- Port: 568
- Port: 569
- Port: 635
- Port: 636
- Port: 666
- Port: 993
- Port: 1024
- Port: 1080
- Port: 1433
- Port: 1492
- Port: 1500
- Port: 1524
- Port: 1600
- Port: 1645, 1812
- Port: 1646, 1813
- Port: 1701
- Port: 1731
- Ports: 1801, 3527
- Port: 2049
- Port: 2500
- Port: 2504
- Port: 3128
- Port: 3333
- Port: 3389
- Port: 4000
- Port: 5632
- Port: 6970
- Port: 8000
- Port: 8010
- Port: 8080
- Port: 13223
- Port: 17027
1. Port numbers corresponding to common services
Port: 0
Service: Reserved
Description: Usually used to analyze the operating system. This method works because "0" is an invalid port in some systems, and it will produce different results when you try to connect to it using the usual closed port. A typical scan uses an IP address of 0.0.0.0, sets the ACK bit and broadcasts it at the Ethernet layer.
Port: 1
Service: tcpmux
Explanation: This shows that someone is looking for SGI
Port: 7
Service: Echo
Note: I can see the information sent to XXX0 and XXX255 when many people search for Fraggle amplifiers.
Port: 19
Service: Character
Generator
Note: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP is connected, a data stream containing garbage characters will be sent until the connection is closed. HACKER uses IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers.
Port: 20 (data port) 21 (control port)
Service: FTP
Description: The port opened by the FTP server is used for uploading and downloading. The most common attackers are used to find a way to open anonymous FTP servers. These servers have readable and writable directories.
Port: 22
Service: ssh
Note: The connection between TCP and this port established by PcAnywhere may be to find ssh. This service has many weaknesses. If it is configured in a specific mode, many versions that use the RSAREF library will have many vulnerabilities.
Port: 23
Service: Telnet
Description: Remote login, the intruder is searching for services that remotely log in to UNIX. In most cases, scanning this port is to find the operating system running on the machine. There are other techniques where the intruder will also find the password.
Port: 25
Service: SMTP
Description: The port opened by the SMTP server for sending mail. The intruder looks for the SMTP server in order to deliver their SPAM. The account of the intruder is closed, and they need to connect to the high-bandwidth E-MAIL server to deliver simple information to different addresses.
Port: 42
Service: WINS
Replication
Description: WINS replication
Port: 53
Service: Domain Name
Server(DNS)
Note: The port opened by the DNS server, the intruder may be trying to perform zone transfer (TCP), spoofing DNS (UDP) or hiding other communications. Therefore, firewalls often filter or record this port.
Port: 67
Service: Bootstrap
Protocol Server
Description: Via DSL and Cable
The firewall of the modem often sees a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. HACKER often enters them, assigns an address and uses itself as a local router to launch a large number of man-in-middle attacks. The client broadcasts the configuration request to port 68, and the server broadcasts the response request to port 67. This response uses broadcast because the client does not yet know the IP address that can be sent.
DHCP (UDP ports 67 and 68)
Port: 80
Service: HTTP
Description: Used for web browsing. Trojan Executor opens this port.
Port: 88
Description: Kerberos
krb5. In addition, TCP port 88 is also used for this purpose.
Port: 110
Service: All ports of Sun's RPC service
Note: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.
Port: 113
Service: Authentication
Service
Description: This is a protocol that runs on many computers and is used to identify users of TCP connections. Use standard such services to obtain information from many computers. But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually if many clients access these services through the firewall, they will see many connection requests for this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support sending back RST during the blocking process of TCP connections. This will stop the slow connection.
Port: 119
Service: Network
News Transfer
Protocol
Description: NEWS newsgroup transmission protocol, carrying USENET communication. The connection to this port is usually people looking for a USENET server. Most ISPs restrict that only their customers can access their news server. Opening the newsgroup server will allow posting/reading anyone’s posts, accessing restricted newsgroup servers, anonymous posting or sending SPAM.
Port: 135
Service: Location
Service
Note: Microsoft runs DCE RPC end-point mapper on this port for its DCOM service. This is very similar to the function of the UNIX 111 port. Services that use DCOM and RPC use the end-point mapper on the computer to register their location. When remote clients connect to the computer, they look up the end-point mapper to find the location of the service. Is HACKER scanning this port of the computer to find out which Exchange Server is running on this computer? What version? Some DOS attacks directly target this port.
Ports: 137, 138, 139
Service: NETBIOS Name Service
Note: 137 and 138 are UDP ports, which are used when transferring files through network neighbors. The connection entered through this port on port 139 tries to obtain NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. And WINS Regisrtation also uses it.
Port: 143
Service: Interim Mail Access Protocol
v2
Note: Like POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (admv0rm) will multiply through this port, so many scans of this port come from unknowingly infected users. When REDHAT allowed IMAP by default in their LINUX release, these vulnerabilities became popular. This port is also used for IMAP2, but it is not popular.
Port: 161
Service: SNMP
Note: SNMP allows remote management of devices. All configuration and operation information are stored in the database, which can be obtained through SNMP. Many administrators' misconfigurations will be exposed to the Internet. Cackers will try to use the default password public and private to access the system. They may experiment with all possible combinations. SNMP packets may be incorrectly directed to the user's network.
Port: 389
Services: LDAP, ILS
Description: Lightweight Directory Access Protocol and NetMeeting
Internet Locator
Server shares this port.
Port: 443
Service: Https
Description: The web browsing port can provide encryption and another type of HTTP transmitted through a secure port.
Port: 445
Description: Common Internet File
System (CIFS) (Common Internet File System)
Port: 464
Description: Kerberos
kpasswd(v5). In addition, TCP port 464 is also used for this purpose.
Port: 500
Description: Internet Key
Exchange (IKE) (Internet key exchange)
Port: 513
Service: Login, remote login
Description: from the use of cable
The modem or DSL logs in to the broadcast from the UNIX computer in the subnet. These people provide information for intruders to enter their systems.
Port: 548
Service: Macintosh, File
Services(AFP/IP)
Description: Macintosh, file service.
Port: 553
Service: CORBA IIOP
(UDP)
Description: Use cable
The modem, DSL or VLAN will see the broadcast on this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.
Port: 555
Service: DSF
Description: Trojans PhAse1.0, Stealth Spy, IniKiller open this port.
Port: 568
Service: Membership DPA
Description: Membership DPA.
Port: 569
Service: Membership MSN
Description: Membership MSN.
Port: 635
Service: mountd
Description: Linux mountd
Bug. This is a popular bug in scanning. Most scans on this port are based on UDP, but TCP-based mountd has increased (mountd runs on two ports at the same time). Remember that mountd can run on any port (which port it is, you need to do a portmap query on port 111), but the default port of Linux is 635, just like NFS usually runs on port 2049.
Port: 636
Service: LDAP
Description: SSL (Secure
Sockets layer)
Port: 666
Service: Doom Id Software
Description: Trojan Attack FTP, Satanz Backdoor open this port
Port: 993
Service: IMAP
Description: SSL (Secure Sockets layer)
Port: 1024
Service: Reserved
Explanation: It is the beginning of dynamic ports. Many programs don't care which port is used to connect to the network. They request the system to allocate the next free port for them. Based on this, the allocation starts from port 1024. This means that the first request to the system will be allocated to port 1024. You can restart the machine, open Telnet, and then open a window and run natstat -a. You will see Telnet is assigned port 1024. SQL session also uses this port and port 5000.
Port: 1080
Service: SOCKS
Description: This protocol passes through the firewall in a tunnel mode, allowing people behind the firewall to access the Internet through an IP address. In theory, it should only allow internal communications to reach the INTERNET. But due to incorrect configuration, it will allow attacks located outside the firewall to pass through the firewall. This error often occurs in WinGate, and it is often seen when joining an IRC chat room.
Port: 1433
Service: SQL
Description: The port opened by Microsoft's SQL service.
Port: 1492
Service: stone-design-1
Description: Trojan FTP99CMP opens this port.
Port: 1500
Service: RPC
client fixed port session
queries
Description: RPC client fixed port session query
Port: 1524
Service: ingress
Description: Many attack scripts will install a backdoor SHELL on this port, especially scripts targeting Sendmail and RPC service vulnerabilities in the SUN system. If you see a connection attempt on this port as soon as the firewall is installed, it may be the reason above. You can try Telnet to this port on the user's computer to see if it will give you a SHELL. This problem also exists when connecting to 600/pcserver.
Port: 1600
Service: issd
Description: Trojan Shivka-Burka opens this port.
Port: 1645, 1812
Description: Remot Authentication
Dial-In User Service (RADIUS) authentication (Routing and Remote Access)
Port: 1646, 1813
说明:RADIUS accounting(Routing and
Remote Access) (RADIUS accounting (routing and remote access))
Port: 1701
说明:Layer Two Tunneling
Protocol (L2TP) (Layer 2 Tunneling Protocol)
Port: 1731
Service: NetMeeting Audio Call Control
Description: NetMeeting audio call control.
Ports: 1801, 3527
Description: Microsoft Message Queue
Server (Microsoft Message Queuing Server). There are also TCP 135, 1801, 2101, 2103, and 2105 for the same purpose.
Port: 2049
Service: NFS
Note: NFS programs often run on this port. Usually you need to visit Portmapper to query which port the service is running on.
Port: 2500
服务:RPC client using a fixed port session
replication
Description: RPC clients applying fixed port session replication
Port: 2504
Description: Network Load Balancing (Network Load Balancing)
Port: 3128
Service: squid
Description: This is squid
The default port of the HTTP proxy server. The attacker scans this port to search for a proxy server and access the Internet anonymously. You will also see ports 8000, 8001, 8080, 8888 searching for other proxy servers. Another reason for scanning this port is that the user is entering the chat room. Other users will also check this port to determine whether the user's machine supports the proxy.
Port: 3333
Service: dec-notes
Description: Trojan Prosiak opens this port
Port: 3389
Service: HyperTerminal
Note: WINDOWS 2000 terminal opens this port.
Port: 4000
Service: QQ client
Note: Tencent QQ client opens this port.
Port: 5632
Service: pcAnywere
Note: Sometimes you will see a lot of scans of this port, depending on the location of the user. When the user opens pcAnywere, it will automatically scan the LAN class C network to find possible agents (the agent here refers to agent instead of proxy). Intruders will also look for computers that open up such services. , So you should check the source address of this scan. Some scanning packets that search for pcAnywere often contain port 22 UDP packets.
Port: 6970
Service: RealAudio
Note: RealAudio clients will receive audio data streams from the UDP port 6970-7170 of the server. This is set by the TCP-7070 port outbound control connection.
Port: 8000
Service: OICQ
Note: Tencent QQ server opens this port.
Port: 8010
Service: Wingate
Note: Wingate proxy opens this port.
Port: 8080
Service: proxy port
Note: The WWW proxy opens this port.
Port: 13223
Service: PowWow
Description: PowWow is Tribal
Voice chat program. It allows users to open private chat connections on this port. This procedure is very offensive for establishing a connection. It will reside on this TCP port and wait for a response. Cause a connection request similar to the heartbeat interval. If a dial-up user inherits an IP address from another chatter, it will happen that there are many different people testing the port. This protocol uses OPNG as the first 4 bytes of its connection request.
Port: 17027
Service: Conducent
Description: This is an outgoing connection. This is because someone inside the company installed shareware with Conducent "adbot". Conducent "adbot" is a service for displaying advertisements for shareware. A popular software that uses this service is Pkware.