Does the mere mention of a major security audit or “heavy protection period” trigger anxiety? Unsure which ports to close or how to harden Web security? Don’t panic. We’ve compiled the ultimate solution: a centralized summary of all high-risk ports and forbidden file extensions. This is the only reference guide you’ll ever need.
I. Critical High-Risk Port Checklist
Core Principle: Attack Surface Reduction—if it’s not essential, shut it down.
While most modern firewalls utilize a “Default Deny” (Reject All) baseline, many administrators add an “Any-to-Any” permit rule at the top just to save time.
As an engineer who recently entered the field, I’ve seen this “shortcut” far too often.
Let’s be clear: open policies might feel convenient now, but they lead to forensic nightmares later. Don’t wait for a breach to regret your choices. We strongly recommend checking and closing the following ports immediately for public access.
1.1 Remote Access Ports
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP | SSH |
| 23 | TCP | TELNET |
| 3389 | TCP | RDP |
| 5900-5904 | TCP | VNC |
Database Ports
1.2.1 Relational Databases (RDBMS)
| Port | Protocol | Purpose |
|---|---|---|
| 1433 | TCP | Microsoft SQL |
| 1521 | TCP | Oracle DB |
| 3306 | TCP | MySQL/MariaDB |
| 5432 | TCP | PostgreSQL |
| 50000 | TCP | IBM DB2 |
| 5236 | TCP | Dameng (DM) |
| 54321 | TCP | Kingbase |
| 5866 | TCP | HighGo |
| 30100 | TCP | GaussDB |
| 2881-2882/2886 | TCP | OceanBase |
1.2.2 NoSQL Databases
| Port | Protocol | Purpose |
|---|---|---|
| 6379 | TCP | Redis |
| 27017/27018 | TCP | MongoDB |
| 9042 | TCP | Cassandra |
| 9200 | TCP | Elasticsearch |
| 5984 | TCP | CouchDB |
| 16000 | TCP | HBase |
| 8091 | TCP | Couchbase |
| 8086 | TCP | InfluxDB |
| 9042 | TCP | ScyllaDB |
1.2.3 Graph & Vector Databases
| Port | Protocol | Purpose |
|---|---|---|
| 7687 | TCP | Neo4j |
| 8529 | TCP | ArangoDB |
| 14240 | TCP | TigerGraph |
| 8080 | TCP | DGraph |
1.2.4 Database Management Tools
| Port | Protocol | Purpose |
|---|---|---|
| 80/443 | TCP | phpMyAdmin |
| 80/443 | TCP | pgAdmin |
| 80/443 | TCP | Adminier |
| 8080 | TCP | Bytebase |
1.3 File Sharing & Protocol Ports
| Port | Protocol | Purpose |
|---|---|---|
| 21 | TCP | FTP |
| 139/445 | TCP | SMB |
| 593 | TCP | AFP |
| 2049 | TCP | NFS |
1.4 Critical Middleware & Vulnerable Services
| Port | Protocol | Purpose |
|---|---|---|
| 135/136/137/138 | TCP/UDP | Windows RPC |
| 139/445 | TCP/UDP | SMB |
| 161 | TCP/UDP | SNMP |
1.5 Other Vulnerable Services
| Port | Protocol | Purpose |
|---|---|---|
| 8848 | TCP | Nacos |
| 3888/2181 | TCP | Zookpeer |
| 9001 | TCP | Supervisor |
| 7077 | TCP | Spark |
| 9092 | TCP | Kafka |
| 7001 | TCP | WebLogic |
II. Forbidden File Upload Extension Checklist
Weak file type validation is equivalent to handing over system execution privileges. The fundamental rule: Validate not just the extension, but also the file content (Magic Bytes) and MIME type.
2.1 System Executables & Scripts
Risk: These can execute commands directly on the server or client side; they are the highest risk category.
- Windows:
.exe,.msi,.com,.scr,.bat,.cmd,.ps1,.vbs,.vbe - Linux:
.sh - Genera:
.jar
2.2 Web Executable Scripts
Risk: If uploaded to a web directory, accessing these files triggers code execution, leading to a WebShell and total server compromise.
- PHP:
.php,.php3,.php4,.php5,.php6,.php7,.phtml,.phps,.phar - ASP.NET:
.asp,.aspx,.asa,.asax,.ascx,.ashx,.asmx - JSP:
.jsp,.jspx,.jspf - Other:
.py,.pl,.cgi,.cfm,.cfml
2.3 Configuration & Exploitation Files
Risk: Used to overwrite configurations, leak info, or launch XSS/XXE attacks.
- Apache:
.htaccess(Can override server rules to execute arbitrary files). - Configs:
.ini,.conf,.config:(May contain sensitive credentials). - Markup:
.xml: Risk of XXE (XML External Entity) injection..html, .htm, .svg:Can embed JavaScript for XSS attacks.