The definitive guide to identifying and replacing cleartext protocols across your infrastructure.
In the modern landscape, any protocol that does not use TLS/SSL or SSH encapsulation is a liability. Below is the comprehensive master list of insecure legacy protocols and the secure standards that must replace them in 2026.
Master Protocol Mapping Table
| Service Type | Insecure (Cleartext) | Port | Secure (Encrypted) | Port |
|---|---|---|---|---|
| Web Traffic | HTTP | 80 | HTTPS | 443 |
| Terminal Access | Telnet | 23 | SSH | 22 |
| File Transfer | FTP | 21/20 | SFTP / FTPS | 22 / 990 |
| Email (Sending) | SMTP | 25 | SMTPS | 465 / 587 |
| Email (Retrieving) | POP3 | 110 | POP3S | 995 |
| Email (Syncing) | IMAP | 143 | IMAPS | 993 |
| Directory Services | LDAP | 389 | LDAPS | 636 |
| Authentication | RADIUS/TACACS+ | 1812 | RADIUS over TLS | 2083 |
| Network Mgmt | SNMPv1/v2c | 161/162 | SNMPv3 | 161/162 |
| Time Sync | NTP | 123 | NTS (Network Time Security) | 4460 |
| Remote Desktop | VNC | 5900 | RDP (with NLA/TLS) | 3389 |
| SQL Database | MySQL / MSSQL | 3306/1433 | SQL over TLS | 3306/1433 |
Critical Security Note: Port 22
Notice that SFTP and SSH share the same port (22). This is because SFTP is not just "Secure FTP"; it is an extension of the SSH protocol itself. When you close port 21 and move to port 22, you are consolidating your attack surface into a single, hardened entry point.
Implementation Check
Windows
Ensure SMB Signing is enabled for port 445 and use LDAPS (636) for Active Directory queries instead of standard LDAP.
Linux
Disable the telnetd and vsftpd services. Enforce SSH Key Authentication to protect port 22.
macOS
macOS comes with pf (Packet Filter). Use it to block legacy ports and only allow incoming traffic on 443 and 22.
Community Discussion (0)
Leave a Comment
No approved comments yet. Be the first to start the conversation!