I'd like to set some Linux services to non-standard ports - what's the highest valid port number?

4 Answers 4


(2^16)-1, or 0-65,535 (the -1 is because port 0 is reserved and unavailable). (edited because o_O Tync reminded me that we can't use port 0, and Steve Folly reminded me that you asked for the highest port, not the number of ports)

But you're probably going about this the wrong way. There are people who argue for and against non-standard ports. I say they're irrelevant except to the most casual scanner, and the most casual scanner can be kept at bay by using up-to-date software and proper firewall techniques, along with strong passwords. In other words, security best practices.

  • 3
    -1 for the wrong answer. Try 65,535. But good point about the argument for/against non-standard ports. Commented Jan 18, 2010 at 0:00
  • 2
    There are security/compliance people who force these sorts of decisions. We run SMTP services on a predetermined high port to protect us against the security officer's office harassing us. Commented Jan 18, 2010 at 0:01
  • 1
    Steve, edited, and you're right. I answered the wrong question with my number :) Commented Jan 18, 2010 at 0:03
  • 2
    @Matt: removed -1 :-) Commented Jan 18, 2010 at 0:05
  • 1
    I monitor attempts to login with ssh and multiple attempts have the IP blocked (standard CPanel VPS solution). I'm just trying to reduce the number of attempts I have to look at each day. Port scanning is also blocked so that should reduce that crowd. I'm also considering a VPN, but it seemed changing the port would be an easier first step.
    – Yehosef
    Commented Jan 18, 2010 at 0:06

1-65535 are available, and ports in range 1-1023 are the privileged ones: an application needs to be run as root in order to listen to these ports.


Although 1-65535 are legit TCP ports and it is true that 1-1023 are for well known port services. You may run into random issues with your own services if they are started after an ephemeral port is established. For those who may not know, ephemeral ports are those that are connected locally for remote end points (or something to that effect). So if you write a TCP service that listens on port 20001. You might be good today... and tomorrow. But one day your service may startup and attempt to bind to 20001 and it will fail because it was taken as an ephemeral port. There is a solution. You must have your admin, or yourself, change the system ephemeral port range policy on your server. On linux systems it is done in two steps:

  • Dynamically
  • Permanently

Both steps must be taken, unless you are planning to reboot (in which case the Dynamic step is not needed). To set your range up to 40000 thru 65535 do the following:


echo 40000 65535 > /proc/sys/net/ipv4/ip_local_port_range


sysctl -w net.ipv4.ip_local_port_range="40000 65535"


Add the following to /etc/sysctl.conf:

net.ipv4.ip_local_port_range = 40000 65535

To read the current setting or to confirm the change:

/sbin/sysctl net.ipv4.ip_local_port_range

The output will be something like this:

net.ipv4.ip_local_port_range = 9000 65500

Be sure you understand the purpose of your server. Reducing the range too much can lead to other issues.

Happy Coding! (or whatever you do)

  • 1
    See comment here. "ephemeral port range vary by system. ... $ cat /proc/sys/net/ipv4/ip_local_port_range results in output 32768 61000. As to if one should or shouldn't use a port in one's system's ephemeral port range, I suspect most if not all modern day network operating systems will skip over a port that is already in use"
    – Déjà vu
    Commented Apr 18, 2020 at 7:50

all the folks saying 65,535 are correct.

HOWEVER!!! with some careful kernel tunable parameter manipulation you can tell linux to use more. Some commercial UNIX systems would run services on technically out-of-bounds ports with no problems. Super simple way around some of the firewall/ACL protected networks too! :P

I used to run a second telnet server on tcp/99999 and it always worked for me. Even in cases where the typical privileged ports (1-1024) are blocked by ACL or network firewall.

Almost nobody scans for ports listening above 65,535. Most network equipment cannot inspect anything outside the defined range (0-65535) and blindly forward the traffic unless instructed to do otherwise by rule. Now that we have 64-bit systems, the upper range is technically the 64-bit boundaries. Doesn't mean networks will pass the traffic, but typically they do pass anything there isn't a rule to drop or deny.

  • I don't think this is true at all, the TCP packet limits the port to a 16-bit value. So there is no way to fit a number higher then 65535 in there. I wonder if the value either got truncated, or simply rolled over / overflowed. My bet is that whatever you were running on 99999 is actually somewhere in the 0-65535 range.
    – Isa
    Commented Apr 22 at 10:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .