Blocked ports

To secure the Selectel infrastructure from malicious network activity, we restrict access to certain TCP/UDP ports. Incoming and outgoing traffic is blocked when it passes the border routers at the edge of the Selectel Internet network.

For TCP ports 25, 465, 587 only outgoing traffic to public IPv4 and IPv6 addresses is blocked. We recommend using Selectel mail service instead of these ports.

For a complete list of blocked ports, see the Blocked Ports List table. If a port is unavailable but not listed in the table, check its availability from the operating system side using the Nmap utility.

You can submit a request to unblock some ports. Each request is considered individually, we do not guarantee a positive response.

List of blocked ports

Port and application protocol	Port assignment	Transport Protocol	Reason for blocking	You can submit an unlock request
17 QOTD	Transmitting a short text message when a client connects to the server	TCP/UDP	low security; risk of amplification attacks	✗
25 SMTP	Sending emails between servers in unencrypted form	TCP	spam prevention; risk of unencrypted traffic being intercepted	✓
111 ONC RPC (SunRPC)	Mapping RPC services (nfs, mountd, etc.) to port numbers on the server	TCP/UDP	risk of detecting all RPC services; risk of unauthorized access to files	✗
135 Microsoft EPMAP	Mapping RPC calls to specific services and ports on the remote system	TCP/UDP	risk of unauthorized access to the system; risk of interception and manipulation of RPC calls (MITM); risk of enumeration of service and method names (enumeration)	✓
137 NetBIOS Name Service	NetBIOS computer name resolution on a local network	TCP/UDP	The risk of being used for network reconnaissance; risk of unauthorized access to resources; spoofing of device names on the network (spoofing); risk of DoS attacks through broadcast traffic congestion	✓
138 NetBIOS Datagram Service	Transmit small messages between devices on the network without establishing a connection	TCP/UDP	The risk of attacks through insecure data transmission; risk of DoS attacks through broadcast traffic congestion; risk of collecting information about hosts, users and shared resources	✓
139 NetBIOS Session Service	Sharing files, printers, and ports on Windows networks via NetBIOS	TCP/UDP	risk of attacks on SMB and NetBIOS vulnerabilities; the risk of network scanning and information gathering	✓
389 LDAP	Connecting to LDAP directory for authentication and data retrieval	TCP/UDP	the risk of password mining; risk of unauthorized access to directory data	✗
427 SLP	Discovery of network services and devices on the local network	TCP/UDP	the risk of amplification-attacks; risk of disclosing the structure of the intranet	✗
445 SMB	File sharing on Windows networks over TCP/IP without NetBIOS	TCP/UDP	The risk of attacks on SMB vulnerabilities; the risk of password mining; malware risk	✓
465 SMTPS	Secure mail sending (SMTPS) using SSL/TLS encryption	TCP	The risk of encryption downgrade attacks; Risk of hiding malicious traffic from analysis	✓
520 RIP	Routing information exchange in small networks using RIP protocol	UDP	risk of redirecting traffic to intercept data (route spoofing); The risk of traffic being redirected to a malicious host (MITM); risk of DoS attacks through false updates	✗
587 SMTP	Secure sending of e-mails via SMTP using STARTTLS	TCP	risk of spamming and phishing with weak security; the risk of password mining; Risk of data leakage if encryption is disabled or weak	✓
1900 SSDP	Discovery of devices and services on the local network (printers, TVs, routers)	UDP	The risk of DoS attacks through request overload; risk of automatic opening of ports on the router	✗
3702 WS-Discovery	Dynamic discovery of web services on the local network	UDP	the risk of amplification-attacks; risk of unauthorized access to devices	✗
11211 Memcached	Memcached cache server access to accelerate web applications	TCP/UDP	the risk of amplification-attacks; risk of data leakage in the absence of authentication	✗

Submit a port unlock request

Each unlock request is considered individually - we do not guarantee a positive response, and we reserve the right to refuse unlocking without explanation.

Once unblocked, the port may be blocked again, for example, if spam is sent or the IP address is on a spam list. See Network Blocking for more information.

Ports 25, 465, 587

Dedicated servers
Cloud servers

You cannot unblock a port for public shared IP addresses of a dedicated server in TAS-1, TAS-2, ALM-1, NBO-1 pools. You can see if a public IP address is shared in the control panel: from the top menu, click Products → Dedicated Servers → Server page → Network tab . IP addresses that are in the /32 subnet are shared.

You can submit a port unlock request for:

public dedicated subnets of a dedicated server;
public shared IP addresses of the dedicated server except for pools TAS-1, TAS-2, ALM-1, NBO-1.

Create a ticket. In the ticket specify:
- the port to be unblocked;
- the purpose of using the port. If you plan to use the port for mailings, specify the type of mailing, the number of emails in the mailing, a sample email, and whether the recipient can unsubscribe from the mailing;
- public dedicated subnet of the dedicated server for which you want to unblock the port. The list of public dedicated subnets can be viewed in the control panel: in the top menu, click Products → Dedicated Servers → Network → Public Subnets tab → select the Dedicated subnet type;
- the public shared IP address of the dedicated server for which you want to unblock the port. The public shared IP address can be viewed in the control panel: from the top menu, click Products → Dedicated Servers → Server page → Network tab . IP addresses that are in the /32 subnet are public.
Wait in the ticket for a Selectel employee to respond with a decision.

Ports 135, 137, 138, 139, 445.

Dedicated servers
Cloud servers

You cannot unblock a port for public shared IP addresses of a dedicated server. You can see if a public IP address is shared in the control panel: from the top menu, click Products → Dedicated Servers → Server page → Network tab . IP addresses that are in the /32 subnet are shared.

You can submit a port unblocking request for public dedicated subnets of a dedicated server.

Create a ticket. In the ticket specify:
- the port to be unblocked;
- the purpose of using the port;
- public dedicated subnet of the dedicated server for which you want to unblock the port. The list of public dedicated subnets can be viewed in the control panel: in the top menu, click Products → Dedicated Servers → Network → Public Subnets tab → select the Dedicated subnet type.
Wait in the ticket for a Selectel employee to respond with a decision.