Skip to content
PortsDB

Port reference

Port 515 (TCP) – LPD

Line Printer Daemon — the legacy LPR/LPD network printing protocol used to queue jobs to print servers.

tcpWell-knownCommonly attacked

Default state

Open on legacy print servers, Unix print spoolers, and many network printers/MFPs that still expose LPD.

Common attacks

  • Buffer overflows in lpd/spooler implementations (historic pre-auth RCE)
  • Unauthenticated print job submission and queue abuse
  • Print job spoofing, paper/toner exhaustion DoS
  • Information disclosure via queued job data and banners

Hardening

  • Disable LPD where IPP (631) or driverless printing is available
  • Restrict TCP/515 to print servers and known clients via ACLs
  • Patch printer/MFP firmware and spooler software
  • Require authentication / use a hardened print server instead of direct device access
  • Never expose 515 to the internet; segment printers into their own VLAN

nmap snippet

nmap -p515 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 515?

Port 515 is the registered TCP port for the Line Printer Daemon (LPD), the server side of the classic LPR/LPD network printing protocol. Clients connect, submit a control file and a data file, and the daemon queues the job to a printer. It long predates modern printing stacks and is still exposed by Unix print spoolers, legacy print servers, and many network printers and multifunction devices (MFPs).

Why it matters for security

LPD has essentially no authentication and no encryption. Anyone who can reach TCP/515 can typically submit jobs, and historically the protocol's spooler implementations have suffered serious buffer-overflow flaws, some allowing pre-auth remote code execution. Even without code execution, an open LPD is an easy target for nuisance and resource-exhaustion abuse.

How it's attacked

Classic attacks exploit buffer overflows in vulnerable lpd/spooler code for remote code execution. More commonly, attackers abuse the lack of auth to submit unauthenticated or spoofed print jobs, flood queues, and exhaust paper and toner as a DoS. Queued job data and daemon banners can also leak information about the environment.

Hardening checklist

Where possible, disable LPD and use IPP over TLS (port 631) or driverless printing instead. Restrict TCP/515 to print servers and known clients with ACLs, and put printers in a dedicated VLAN. Patch printer firmware and spooler software, require authentication through a hardened print server, and never expose 515 to the internet. The nmap banner script above fingerprints the listener on hosts you are authorized to test.

Related ports

Port 631Port 9100Port 35

Frequently asked questions

Is LPD on port 515 still secure to use?
LPD has no real authentication or encryption and a history of buffer-overflow CVEs. Prefer IPP over TLS (631) and restrict 515 to internal print servers only.
Why does my printer have port 515 open?
Many printers and MFPs still expose LPD for compatibility with legacy LPR clients. If unused, disable it and keep firmware patched to avoid print-job abuse and overflows.