Port 79 (TCP) – Finger

What runs on port 79?

Port 79 is the default for Finger (RFC 1288), a 1970s-era service that returns information about users on a host. A simple query can reveal a user's real name, home directory, login time, idle time, and whether they are currently logged in. It was meant as a convenience for finding colleagues on shared Unix systems. Today it is disabled by default, but legacy hosts and some appliances still run a fingerd.

Why it matters for security

Finger provides unauthenticated information disclosure. The data it hands out — especially valid usernames and login activity — is exactly what an attacker needs for the reconnaissance phase. Knowing which accounts exist and when they are active sharpens password guessing, social engineering, and targeted phishing. It is a textbook example of a legacy service that leaks more than it helps.

How it's attacked

Attackers query finger to enumerate valid accounts and harvest login patterns, then feed that list into brute-force and password-spraying attacks against SSH, mail, or VPN services. Empty or wildcard queries on some implementations dump the full user list at once. The reconnaissance value is high and the effort is trivial, which is why scanners still probe port 79.

Hardening checklist

Disable fingerd and remove the service from inetd/xinetd. Block inbound TCP port 79 at the perimeter so external scanners cannot enumerate your users. If you genuinely need a user directory, use an authenticated modern alternative rather than an open cleartext service. The nmap snippet above shows what a finger query reveals on hosts you are authorized to test.