Port categories

Ports for remote shells, desktops and out-of-band management — SSH, RDP, VNC, WinRM and more. The most aggressively brute-forced surface on the internet.

Default ports for SQL and NoSQL databases — MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch and more. Never expose these to the internet.

HTTP, HTTPS and the alternate ports web apps, proxies and admin panels listen on — 80, 443, 8080, 8443 and friends.

The ports email uses to send and receive — SMTP, submission, IMAP, POP3 and their TLS variants. Which to use, and which to lock down.

Ports for moving and sharing files — FTP, FTPS, TFTP, SMB, NFS, AFP, rsync and network printing.

The ports a domain controller and directory services listen on — Kerberos, LDAP, SMB, RPC, Global Catalog, WinRM and RADIUS.

DNS, encrypted DNS and the core network/infrastructure protocols — resolution, time, routing, logging and discovery.

Message brokers and IoT protocols — MQTT, AMQP, NATS, Kafka, ActiveMQ, CoAP and coordination services.

Industrial control and operational-technology protocols — Modbus, S7comm, DNP3, BACnet, EtherNet/IP and IPMI. Mostly unauthenticated by design.

Proxies, tunnels and VPNs — SOCKS, Squid, Shadowsocks, Tor, OpenVPN, IKE/IPsec, L2TP and PPTP.

Voice, video, streaming and game-server ports — SIP, RTP, RTSP, H.323 and popular media/game services.

Ports tied to trojans, backdoors and C2 frameworks. An open one is a strong signal to investigate a host for compromise.