Port & Service Database
netbobr includes a database of 217 port/service definitions with risk levels and advisory text. These are used for service name autocomplete, port risk scoring, and rule evaluation.
Risk comes from the service configuration, authentication posture, encryption state, and exposure scope - not the port number itself.
Critical Risk Services
| Port | Protocol | Service | Advisory |
|---|---|---|---|
| 23 | TCP | Telnet | Transmits all data including credentials in plaintext. Replace with SSH. |
| 102 | TCP | S7comm (Siemens S7) | Industrial control protocol with no authentication. Must be isolated. |
| 179 | TCP | BGP | Route hijacking can redirect or blackhole traffic. Restrict to peers. |
| 502 | TCP | Modbus | No authentication or encryption. Critical OT protocol requiring strict isolation. |
| 512 | TCP | rexec | Trust-based remote execution with plaintext credentials. Replace with SSH. |
| 513 | TCP | rlogin | Trust-based remote login with no encryption. Replace with SSH. |
| 514 | TCP | rsh | Trust-based remote shell with no authentication. Replace with SSH. |
| 623 | UDP | IPMI/BMC | Hardware-level control with known vulnerabilities. Isolate to management network. |
| 2375 | TCP | Docker (unencrypted) | Unauthenticated container control. Equivalent to root access on the host. |
| 2379 | TCP | etcd client | Kubernetes secrets store. Unauthorized access exposes all cluster secrets. |
| 2380 | TCP | etcd peer | Cluster consensus protocol. Compromise allows data manipulation. |
| 4505 | TCP | SaltStack Publisher | Configuration management control channel. Compromise controls all minions. |
| 4506 | TCP | SaltStack Request | Configuration management return channel. Exposes managed infrastructure. |
| 6379 | TCP | Redis | Default config has no authentication. Often contains session data and caches. |
| 6443 | TCP | Kubernetes API | Full cluster control. Compromise allows container deployment and secret access. |
| 8200 | TCP | HashiCorp Vault | Secrets management system. Unauthorized access exposes all stored secrets. |
| 9200 | TCP | Elasticsearch HTTP | Often contains sensitive indexed data. Default has no authentication. |
| 9300 | TCP | Elasticsearch Cluster | Internal cluster protocol. Exposure allows data extraction and manipulation. |
| 10250 | TCP | Kubelet | Node-level container control. Can execute commands in any pod on the node. |
| 11211 | TCP/UDP | Memcached | No authentication by design. Can be abused for DDoS amplification. |
| 27017 | TCP | MongoDB | Default config has no authentication. Often contains production data. |
| 27019 | TCP | MongoDB Config Server | Sharded cluster metadata. Compromise affects entire cluster routing. |
| 44818 | TCP | EtherNet/IP (CIP) | Industrial control protocol. No authentication, direct process manipulation. |
High Risk Services
| Port | Protocol | Service |
|---|---|---|
| 20 | TCP | FTP Data |
| 21 | TCP | FTP |
| 42 | TCP/UDP | WINS |
| 49 | TCP | TACACS+ |
| 69 | UDP | TFTP |
| 79 | TCP | Finger |
| 111 | TCP/UDP | RPCbind |
| 135 | TCP | RPC/DCOM |
| 137 | UDP | NetBIOS-NS |
| 138 | UDP | NetBIOS-DGM |
| 139 | TCP | NetBIOS-SSN |
| 161 | UDP | SNMP |
| 162 | UDP | SNMP Trap |
| 199 | TCP | SNMP Mux |
| 389 | TCP | LDAP |
| 445 | TCP | SMB |
| 520 | UDP | RIP |
| 523 | TCP | IBM DB2 |
| 540 | TCP | UUCP |
| 593 | TCP | HTTP RPC |
| 749 | TCP | Kerberos Admin |
| 873 | TCP | Rsync |
| 902 | TCP | VMware ESXi |
| 1080 | TCP | SOCKS |
| 1099 | TCP | Java RMI |
| 1433 | TCP | MSSQL |
| 1434 | UDP | MSSQL Browser |
| 1521 | TCP | Oracle |
| 1723 | TCP | PPTP |
| 1812 | UDP | RADIUS Auth |
| 1883 | TCP | MQTT |
| 2049 | TCP/UDP | NFS |
| 2082 | TCP | cPanel HTTP |
| 2086 | TCP | WHM HTTP |
| 2376 | TCP | Docker TLS |
| 3268 | TCP | LDAP GC |
| 3283 | TCP | Apple Remote Desktop |
| 3306 | TCP | MySQL |
| 3389 | TCP | RDP |
| 4243 | TCP | Docker alt |
| 4369 | TCP | Erlang EPMD |
| 4646 | TCP | Nomad |
| 5000 | TCP | Docker Registry |
| 5355 | UDP | LLMNR |
| 5432 | TCP | PostgreSQL |
| 5555 | TCP | Android ADB |
| 5601 | TCP | Kibana |
| 5800 | TCP | VNC HTTP |
| 5900 | TCP | VNC |
| 5984 | TCP | CouchDB |
| 5985 | TCP | WinRM HTTP |
| 7000 | TCP | Cassandra |
| 7001 | TCP | WebLogic |
| 7002 | TCP | WebLogic SSL |
| 7474 | TCP | Neo4j HTTP |
| 7687 | TCP | Neo4j Bolt |
| 8006 | TCP | Proxmox |
| 8009 | TCP | Apache AJP |
| 8042 | TCP | YARN |
| 8086 | TCP | InfluxDB |
| 8123 | TCP | ClickHouse |
| 8161 | TCP | ActiveMQ |
| 8291 | TCP | MikroTik |
| 8529 | TCP | ArangoDB |
| 8834 | TCP | Nessus |
| 8888 | TCP | Jupyter |
| 9042 | TCP | Cassandra CQL |
| 9043 | TCP | WebSphere SSL |
| 9060 | TCP | WebSphere Admin |
| 9090 | TCP | Prometheus |
| 9092 | TCP | Kafka |
| 9160 | TCP | Cassandra Thrift |
| 10000 | TCP | Webmin |
| 15672 | TCP | RabbitMQ Mgmt |
| 16379 | TCP | Redis Sentinel |
| 25672 | TCP | RabbitMQ Cluster |
| 26257 | TCP | CockroachDB |
| 27018 | TCP | MongoDB shard |
| 28015 | TCP | RethinkDB |
| 28017 | TCP | MongoDB HTTP |
| 47808 | UDP | BACnet |
| 50000 | TCP | Jenkins/SAP |
| 50070 | TCP | HDFS NameNode |
Medium Risk Services
| Port | Protocol | Service |
|---|---|---|
| 11 | TCP | Systat |
| 19 | UDP | Chargen |
| 22 | TCP | SSH |
| 25 | TCP | SMTP |
| 53 | TCP/UDP | DNS |
| 67 | UDP | DHCP Server |
| 70 | TCP | Gopher |
| 80 | TCP | HTTP |
| 88 | TCP/UDP | Kerberos |
| 110 | TCP | POP3 |
| 113 | TCP | Ident |
| 119 | TCP | NNTP |
| 123 | UDP | NTP |
| 143 | TCP | IMAP |
| 194 | TCP | IRC |
| 220 | TCP | IMAP3 |
| 427 | TCP/UDP | SLP |
| 464 | TCP/UDP | Kpasswd |
| 500 | UDP | IKE |
| 514 | UDP | Syslog |
| 515 | TCP | LPD |
| 548 | TCP | AFP |
| 554 | TCP | RTSP |
| 631 | TCP | CUPS |
| 636 | TCP | LDAPS |
| 992 | TCP | Telnets |
| 1080 | TCP | SOCKS |
| 1194 | UDP | OpenVPN |
| 1234 | TCP | - |
| 1701 | UDP | L2TP |
| 1813 | UDP | RADIUS Acct |
| 1935 | TCP | RTMP |
| 2083 | TCP | cPanel HTTPS |
| 2087 | TCP | WHM HTTPS |
| 2222 | TCP | SSH alt |
| 3000 | TCP | Grafana |
| 3128 | TCP | Squid |
| 3269 | TCP | LDAPS GC |
| 3478 | UDP | STUN/TURN |
| 3690 | TCP | SVN |
| 4040 | TCP | Spark UI |
| 4443 | TCP | - |
| 4444 | TCP | - |
| 4500 | UDP | IPsec NAT-T |
| 4848 | TCP | GlassFish |
| 5044 | TCP | Beats |
| 5060 | TCP/UDP | SIP |
| 5222 | TCP | XMPP Client |
| 5269 | TCP | XMPP Server |
| 5353 | UDP | mDNS |
| 5666 | TCP | NRPE |
| 5672 | TCP | AMQP |
| 5938 | TCP | TeamViewer |
| 5986 | TCP | WinRM HTTPS |
| 6660-6669 | TCP | IRC alt |
| 8000 | TCP | HTTP-alt |
| 8008 | TCP | HTTP-alt |
| 8080 | TCP | HTTP-alt |
| 8081 | TCP | HTTP-alt |
| 8082 | TCP | HTTP-alt |
| 8083 | TCP | HTTP-alt |
| 8088 | TCP | HTTP-alt |
| 8181 | TCP | HTTP-alt |
| 8444 | TCP | HTTPS-alt |
| 8554 | TCP | RTSP alt |
| 8649 | TCP | Ganglia |
| 8761 | TCP | Eureka |
| 8880 | TCP | HTTP-alt |
| 9000 | TCP | HTTP-alt |
| 9100 | TCP | JetDirect |
| 9418 | TCP | Git |
| 9443 | TCP | HTTPS-alt |
| 9600 | TCP | Logstash |
| 9999 | TCP | HTTP-alt |
| 31337 | TCP | - |
| 32400 | TCP | Plex |
Low Risk Services
| Port | Protocol | Service |
|---|---|---|
| 7 | TCP/UDP | Echo |
| 9 | TCP/UDP | Discard |
| 13 | TCP | Daytime |
| 17 | TCP | QOTD |
| 37 | TCP/UDP | Time |
| 43 | TCP | WHOIS |
| 68 | UDP | DHCP Client |
| 443 | TCP | HTTPS |
| 465 | TCP | SMTPS |
| 563 | TCP | NNTPS |
| 587 | TCP | SMTP Submission |
| 853 | TCP | DNS over TLS |
| 989 | TCP | FTPS Data |
| 990 | TCP | FTPS Control |
| 993 | TCP | IMAPS |
| 995 | TCP | POP3S |
| 5061 | TCP | SIP/TLS |
| 5671 | TCP | AMQP/TLS |
| 6514 | TCP | Syslog/TLS |
| 6697 | TCP | IRC/TLS |
| 8443 | TCP | HTTPS-alt |
| 8883 | TCP | MQTT/TLS |
| 25565 | TCP | Minecraft |
| 8333 | TCP | Bitcoin |
| 51820 | UDP | WireGuard |