Skip to content
PortsDB

Port reference

Port 1080 (TCP) – SOCKS Proxy

SOCKS proxy — a generic TCP/UDP relay used to tunnel and forward arbitrary traffic.

tcpRegisteredCommonly attacked

Default state

Open on hosts running a SOCKS proxy (Dante, SSH dynamic forwarding, malware implants). Not enabled by default on stock systems.

Common attacks

  • Open-proxy abuse — relaying spam, scanning and attack traffic
  • Anonymization of malicious traffic to hide the true source
  • Credential brute force against authenticated SOCKS proxies
  • Use by malware/C2 for pivoting through compromised hosts

Hardening

  • Never run an open SOCKS proxy — require authentication
  • Bind to localhost/internal interfaces, not 0.0.0.0
  • Restrict allowed destinations and source IPs
  • Block inbound 1080 at the perimeter unless explicitly needed
  • Monitor for unexpected SOCKS listeners — they can indicate compromise

nmap snippet

nmap -p1080 --script socks-open-proxy,socks-auth-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1080?

Port 1080 is the traditional default for a SOCKS proxy. SOCKS is a general-purpose relay that forwards arbitrary TCP connections (and UDP in SOCKS5) between a client and a destination, without understanding the application protocol. It is used legitimately for SSH dynamic port forwarding (ssh -D), Tor's local proxy, and tools like Dante — but the same versatility makes it attractive to attackers.

Why it matters for security

A SOCKS proxy that accepts connections without authentication is an open proxy: anyone on the internet can route traffic through it. Attackers use open proxies to anonymize their activity, so port scans, spam, brute-force and exploitation attempts appear to come from your IP rather than theirs. An unexpected SOCKS listener on a server is also a common sign that an attacker has planted a pivot/C2 channel through a compromised host.

How it's attacked

Scanners constantly probe 1080 with checks like the nmap socks-open-proxy script to find proxies that relay freely. Once found, the proxy is added to abuse lists and used to launder malicious traffic or pivot deeper into the network. Authenticated proxies are hit with credential brute force. Defenders also watch for rogue 1080 listeners as an indicator of compromise.

Hardening checklist

Never expose an open SOCKS proxy — require strong authentication and bind it to localhost or an internal interface rather than 0.0.0.0. Restrict both the source IPs allowed to connect and the destinations they may reach. Block inbound 1080 at the perimeter unless a specific use case needs it, and monitor hosts for unexpected SOCKS listeners. Use the nmap snippet above to test whether a proxy is open on systems you are authorized to assess.

Related ports

Port 3128Port 8080Port 9050Port 22

Frequently asked questions

What is a SOCKS proxy on port 1080?
SOCKS is a protocol that relays arbitrary TCP (and UDP in SOCKS5) connections through an intermediary. Port 1080 is its traditional default, used for tunneling and traffic forwarding.
Why are open SOCKS proxies dangerous?
An open proxy lets anyone relay traffic through your host, laundering spam, scans and attacks so they appear to originate from you. It can also signal a malware foothold.