I found my CentOS server has been accessed by a Windows desktop daily and caused files have been locked frequently.
Is there any way to log the port(s) that the scrips or programs use to access my server for me to analyze?

IF they access it daily, it's written daily in /var/log somwhere.

Dear Habitual.

Than you. I got the suspicious log below, how do i block/drop it when it accesses the server?

/var/log/audit/audit.log:type=USER_ROLE_CHANGE msg=audit(1396394239.662:18770): user pid=20125 uid=0 auid=538 subj=system_u:sys
em_r:remote_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:u
confined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=pts/2 res=success)'

/var/log/audit/audit.log:type=USER_START msg=audit(1396394239.663:18771): user pid=20125 uid=0 auid=538 subj=system_u:system_r:
emote_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="xuser" : exe="/bin/login" (hostname=192.168.1.140, addr=192.168.1.140, te
minal=pts/2 res=success)'
/var/log/audit/audit.log:type=CCA msg=audit(1396394239.663:18772): user pid=20125 uid=0 auid=538 subj=system_u:system_r:re
ote_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="xuser" : exe="/bin/login" (hostname=192.168.1.140, addr=192.168.1.140, terminal=
ts/2 res=success)'
/var/log/audit/audit.log:type=CCD msg=audit(1396394704.169:18796): user pid=20125 uid=0 auid=538 subj=system_u:system_r:r

You could download yourself and AESA application. ArcSight do a free version, although if it's compatible with Linux I have no idea. Couldn't see any reason why not though. You just have to configure it yourself and it'll tell you anything from any event log. When someone logged on, if they accessed files they're not supposed to if they entered a password in the username box (password in cleartext across the network). Really good bits of kit.