Skip to content
PortsDB

Port reference

Port 9418 (TCP) – Git protocol

The native Git transport (git://) served by git daemon — fast, unauthenticated, and unencrypted.

tcpRegisteredCommonly attacked

Default state

Open only where git daemon is explicitly run. Not enabled by default; sometimes left exposed on dev/CI servers.

Common attacks

  • Anonymous cloning / source code theft from exposed repositories
  • Eavesdropping on cleartext repo data (no encryption or integrity)
  • Unintended exposure of private repos via export-all / loose config
  • Repository enumeration and information disclosure

Hardening

  • Disable git daemon; serve repos over SSH (22) or HTTPS instead
  • Never enable receive-pack (anonymous push) on a public daemon
  • Use export controls (no export-all) and explicit per-repo allowlists
  • Firewall TCP/9418; never expose it to the internet
  • Keep Git patched against transport/parsing CVEs

nmap snippet

nmap -p9418 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9418?

Port 9418 is the registered TCP port for the native Git protocol (git://), served by git daemon. It is the fast, lightweight transport Git can use to clone and fetch repositories, distinct from Git-over-SSH (port 22) and Git-over-HTTPS (443). It is not enabled by default and must be started deliberately, typically on development, mirror, or CI servers.

Why it matters for security

The Git protocol has no authentication and no encryption. Any client that can reach the daemon can clone the repositories it serves, and all traffic — including the repository contents — travels in cleartext. There is no identity, integrity, or confidentiality, so an exposed git daemon is effectively an anonymous, read-everything endpoint for whatever it shares.

How it's attacked

The main risk is source code theft: attackers clone exposed repos anonymously, or eavesdrop on the cleartext transfer. Loose configuration — export-all or overly broad allowlists — can leak private repositories that were never meant to be public. If receive-pack (anonymous push) is enabled, attackers can write to repos. Enumeration discloses repo names and structure.

Hardening checklist

The simplest hardening is to not run git daemon and serve over SSH or HTTPS with authentication. If you must run it, never enable receive-pack publicly, use strict per-repo export controls (no export-all), and firewall TCP/9418 to trusted networks — never the internet. Keep Git patched against transport and parsing CVEs. The nmap banner script above fingerprints the daemon on hosts you are authorized to test.

Related ports

Port 22Port 443Port 80Port 3690

Frequently asked questions

Is the git:// protocol on port 9418 secure?
No. The Git protocol is unauthenticated and unencrypted — anyone who can reach 9418 can read served repositories and traffic is in cleartext. Use SSH or HTTPS for any non-public or write access.
Should I expose port 9418 on the internet?
No. An exposed git daemon can leak source code and, if receive-pack is enabled, accept anonymous pushes. Disable it or restrict it to trusted networks and use authenticated SSH/HTTPS instead.