Loading page
The 32 well-known ports and protocols to know for the CompTIA Security+ SY0-701 exam, grouped by service, with the secure and insecure pairs flagged. Free, no account needed. Download the one-page PDF or study it right here.
Last updated June 2026
A favorite exam pattern: given a cleartext protocol, name its encrypted replacement and port. These are the pairs worth memorizing cold.
| Insecure | Port | Secure replacement | Port |
|---|---|---|---|
| HTTP | 80 | HTTPS | 443 |
| FTP | 20/21 | SFTP or FTPS | 22 or 989/990 |
| Telnet | 23 | SSH | 22 |
| SMTP | 25 | SMTPS or submission | 465 or 587 |
| POP3 | 110 | POP3S | 995 |
| IMAP | 143 | IMAPS | 993 |
| LDAP | 389 | LDAPS | 636 |
| DNS | 53 | DoH or DoT | 443 or 853 |
| SNMP v1/v2c | 161/162 | SNMPv3 | 161/162 |
| Syslog | 514 | Syslog over TLS | 6514 |
Grouped by service. Cleartext protocols are flagged so you know which ones the exam expects you to replace.
| Port | Protocol | Security |
|---|---|---|
| Web | ||
| 80TCP | HTTP Hypertext Transfer ProtocolCleartext web traffic. Anyone on the path can read or modify it. Replaced by HTTPS on 443. | Cleartext |
| 443TCP | HTTPS HTTP over TLSHTTP secured with TLS. The default for modern web traffic and the transport for DoH and many TLS tunnels. | Secure |
| 25TCP | SMTP Simple Mail Transfer ProtocolServer-to-server mail relay, historically cleartext. Clients should submit mail on 587 (STARTTLS) or 465 (implicit TLS). | Cleartext |
| 587TCP | SMTP submission Mail submission with STARTTLSAuthenticated client mail submission, upgraded to TLS with STARTTLS. The modern send port. | Secure |
| 465TCP | SMTPS SMTP over TLS (implicit)SMTP wrapped in TLS from the first byte (implicit TLS). | Secure |
| 110TCP | POP3 Post Office Protocol v3Downloads mail to the client in cleartext. Secure version is POP3S on 995. | Cleartext |
| 995TCP | POP3S POP3 over TLSPOP3 wrapped in SSL/TLS. | Secure |
| 143TCP | IMAP Internet Message Access ProtocolServer-side mailbox access in cleartext. Secure version is IMAPS on 993. | Cleartext |
| 993TCP | IMAPS IMAP over TLSIMAP wrapped in SSL/TLS. | Secure |
| File transfer | ||
| 20/21TCP | FTP File Transfer ProtocolPort 21 carries commands, port 20 the active-mode data channel. Credentials and files travel in cleartext. Use SFTP or FTPS. | Cleartext |
| 989/990TCP | FTPS FTP over TLS (implicit)FTP secured with TLS (implicit mode: 990 control, 989 data). A different protocol from SFTP. | Secure |
| 22TCP | SFTP SSH File Transfer ProtocolFile transfer tunneled inside SSH, so it uses port 22, not an FTP port. | Secure |
| 69UDP | TFTP Trivial File Transfer ProtocolTiny, no authentication, runs over UDP. Used for device configs and PXE boot on trusted networks only. | Cleartext |
| Remote access | ||
| 22TCP | SSH Secure ShellEncrypted remote shell and tunnel. Also carries SFTP and SCP. Replaces Telnet. | Secure |
| 23TCP | Telnet TelnetRemote shell that sends everything, including the password, in cleartext. Replace with SSH. | Cleartext |
| 3389TCP | RDP Remote Desktop ProtocolMicrosoft Remote Desktop. Encrypted, but Internet-exposed RDP is a leading ransomware entry point. Keep it behind a VPN. | Standard |
| Name and network services | ||
| 53TCP/UDP | DNS Domain Name SystemUDP 53 for normal lookups, TCP 53 for zone transfers and large responses. Classic DNS is unencrypted; secure it with DoH (443) or DoT (853). | Cleartext |
| 853TCP | DoT DNS over TLSEncrypts DNS queries so they cannot be read or tampered with in transit. | Secure |
| 67/68UDP | DHCP Dynamic Host Configuration ProtocolAssigns IP configuration. The server listens on 67, the client on 68. | Standard |
| 123UDP | NTP Network Time ProtocolSynchronizes clocks. Accurate time is critical for logs, Kerberos tickets, and certificate validation. | Standard |
| Directory and authentication | ||
| 389TCP/UDP | LDAP Lightweight Directory Access ProtocolDirectory lookups and authentication in cleartext. Secure version is LDAPS on 636. | Cleartext |
| 636TCP | LDAPS LDAP over TLSLDAP wrapped in SSL/TLS. | Secure |
| 88TCP/UDP | Kerberos Kerberos authenticationTicket-based authentication used by Active Directory. Issues time-limited tickets instead of sending reusable passwords. | Secure |
| 1812/1813UDP | RADIUS Remote Authentication Dial-In User ServiceAAA for network access. 1812 handles authentication, 1813 accounting. Only the password field is encrypted (legacy ports 1645/1646). | Standard |
| 49TCP | TACACS+ Terminal Access Controller Access-Control System PlusCisco AAA protocol. Encrypts the entire payload and separates authentication, authorization, and accounting. | Secure |
| Monitoring and logging | ||
| 161/162UDP | SNMP Simple Network Management ProtocolNetwork device monitoring. 161 polls agents, 162 receives traps. v1 and v2c send community strings in cleartext; use SNMPv3 for auth and encryption. | Cleartext |
| 514UDP | Syslog SyslogCleartext log forwarding to a collector or SIEM. Secure it with syslog over TLS on 6514. | Cleartext |
| 6514TCP | Syslog over TLS Secure syslogSyslog carried inside TLS for confidentiality and integrity of log data in transit. | Secure |
| File and database services | ||
| 445TCP | SMB Server Message BlockWindows file and printer sharing, direct-hosted on 445. Never expose it to the Internet; a frequent worm and ransomware vector. | Standard |
| 137-139TCP/UDP | NetBIOS NetBIOS name, datagram, and session servicesLegacy Windows networking (137 name, 138 datagram, 139 session). Superseded by SMB on 445; disable where possible. | Cleartext |
| 1433TCP | MS SQL Server Microsoft SQL ServerDefault listener for Microsoft SQL databases. Keep it behind the firewall, never Internet-facing. | Standard |
| Voice and video | ||
| 5060/5061TCP/UDP | SIP Session Initiation ProtocolSets up VoIP calls. 5060 is cleartext; 5061 is SIP over TLS (encrypted signaling). The media itself rides RTP or SRTP. | Standard |
Knowing the port is step one. SecPlus Mastery teaches what each protocol does, when to use its secure version, and drills it with over 1,000 practice questions, timed mock exams, and spaced review across all five SY0-701 domains.
Keep studying: free practice questions and the Security+ acronyms glossary.
Port assignments follow the well-known port registrations referenced by the CompTIA Security+ SY0-701 objectives. CompTIA and Security+ are trademarks of CompTIA, used here for identification only.