SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
critical Infrastructure

Open Port Scanner

Open ports on your server represent services accessible from the internet. Every unnecessary open port is an attack surface — a database port exposed to the internet, an old admin panel on a non-standard port, or a development service left running in production can all be entry points for attackers.

What SecurityStatus Checks

  • Common dangerous ports: 21 (FTP), 23 (Telnet), 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 27017 (MongoDB), 9200 (Elasticsearch)
  • Administrative ports: 22 (SSH), 3389 (RDP), 5900 (VNC), 8080/8443 (admin panels)
  • Database ports that should never be internet-facing
  • Whether sensitive services are accessible without authentication

Why This Matters

Exposed databases without authentication are the leading cause of data breaches in small and medium businesses. Redis, MongoDB, and Elasticsearch have all been found exposed to the internet without authentication, with billions of records stolen. A single exposed database port can mean total data loss.

How to Fix It

  1. 1

    Close all unnecessary ports in your firewall

    In your cloud provider's security group or server firewall (ufw, iptables), block all ports by default and only open what you need. A typical web server needs only ports 80 and 443 open to the internet.

  2. 2

    Move databases behind a firewall

    Databases should never accept connections from the internet. Bind them to localhost (127.0.0.1) or a private network interface only. In MySQL: `bind-address = 127.0.0.1`. In Redis: `bind 127.0.0.1` in redis.conf.

  3. 3

    Put SSH on a non-standard port or behind a VPN

    Changing SSH from port 22 reduces automated scanning noise. Better: put SSH access behind a VPN or use SSH certificates with short-lived credentials. Disable password authentication in sshd_config.

  4. 4

    Use a jump server or VPN for admin access

    Remote desktop (RDP), VNC, and admin panels should never be directly internet-accessible. Use a VPN or SSH tunnel. For cloud instances, use your provider's instance connect or session manager instead of opening RDP/SSH directly.

  5. 5

    Audit regularly

    Run SecurityStatus scans regularly and compare results. New open ports between scans may indicate compromised systems running backdoor services or misconfigured deployments.

Frequently Asked Questions

Which ports should always be blocked?
Databases (3306, 5432, 6379, 27017, 9200), Telnet (23), FTP (21), RDP (3389), VNC (5900), and any management interfaces like Kibana (5601) or MongoDB Express should never be open to the internet.
SSH on port 22 is open — should I panic?
Not necessarily. SSH being open is normal for servers you manage. The risk is if SSH allows password authentication (instead of key-only) or if you're using weak keys. Disable password auth and consider IP allowlisting.
What if my application needs a custom port?
Use a reverse proxy (nginx/Apache) to expose only ports 80 and 443, which proxy requests to your application on its internal port. The application's port should be bound to localhost only.

Related Guides

critical Admin Panel Exposure Read Guide critical Sensitive File Exposure Read Guide medium WAF Detection Read Guide

Check Your Domain Now

Run all 38 security checks including Open Port Scanner and get your domain's security grade in under 2 minutes.

Scan Your Domain Free