Skip to content
PortsDB

Port reference

Port 119 (TCP) – NNTP (Usenet News)

Network News Transfer Protocol that distributes and serves Usenet newsgroup articles.

tcpWell-knownCommonly attacked

Default state

Open on Usenet news servers; cleartext by default unless TLS (NNTPS, port 563) is used.

Common attacks

  • Cleartext credential capture during AUTHINFO login
  • Open relay / unauthorized posting and spam injection
  • Brute-force authentication against subscriber accounts
  • Abuse for distributing pirated or illegal binaries

Hardening

  • Require TLS via NNTPS (port 563) and disable plaintext AUTHINFO
  • Enforce authentication and disable anonymous posting/reading
  • Restrict peering and posting to known, authorized hosts
  • Patch the news server (INN, Diablo) and rate-limit connections

nmap snippet

nmap -p119 --script nntp-ntlm-info,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 119?

Port 119 is the default for NNTP, the Network News Transfer Protocol that powers Usenet. News servers use it to exchange articles with peers and to let clients read and post to newsgroups. Authentication is handled by the AUTHINFO command. The plain protocol on 119 is unencrypted; the TLS variant, NNTPS, runs on port 563.

Why it matters for security

On port 119 everything, including AUTHINFO usernames and passwords, travels in cleartext and can be sniffed on the path. Beyond credential exposure, a poorly configured server can act as an open relay, letting anyone inject posts — spam, or illegal and pirated binaries smuggled through newsgroups. Misconfigured peering can also let untrusted hosts flood your feed.

How it's attacked

Attackers sniff cleartext logins, then reuse harvested credentials. They probe for open posting and relaying to push spam or binaries through the server, and run brute-force against subscriber accounts. Servers that accept anonymous peering or posting are quickly discovered by scanners and conscripted into abuse networks for content distribution.

Hardening checklist

Require TLS by offering NNTPS on port 563 and disabling plaintext AUTHINFO on 119. Enforce authentication, disable anonymous reading and posting, and restrict peering to known, authorized hosts. Keep the news server software (INN, Diablo) patched and rate-limit connections to blunt brute force. The nmap snippet above grabs the banner and any NTLM info exposed on servers you are authorized to test.

Related ports

Port 563Port 25Port 110Port 143

Frequently asked questions

Is NNTP on port 119 encrypted?
No. Plain NNTP on port 119 is cleartext, including AUTHINFO credentials. Use NNTPS on port 563, which wraps NNTP in TLS, to protect logins and traffic.
Why is an NNTP server a security concern?
Open or weakly authenticated news servers get abused as spam relays and for distributing illegal binaries, and cleartext logins expose subscriber credentials to sniffing.