CQwerty

Blog

Open Ports and Security: What You Need to Know

← Back to blog
2026-04-14·6 min read

What are ports?

Every networked device communicates through numbered ports. Think of your server's IP address as a building's street address, and ports as individual doors. Each door leads to a different service: port 80 for HTTP, port 443 for HTTPS, port 22 for SSH, port 25 for email.

There are 65,535 ports available. Each one that is open and listening is a potential entry point for attackers.

Why open ports are a security risk

An open port means a service is running and accepting connections. If that service has a vulnerability, an attacker can exploit it. The more ports you expose, the larger your attack surface.

Common risks:

  • Unpatched services, outdated software on open ports with known CVEs
  • Default credentials, services running with factory passwords (databases, admin panels)
  • Information disclosure, service banners revealing software versions
  • Brute force attacks, SSH and RDP ports targeted with automated password guessing
  • Lateral movement, internal services accidentally exposed to the internet

    • Commonly targeted ports

    PortServiceRisk
    21FTPUnencrypted file transfer, often misconfigured
    22SSHBrute force target, key-based auth recommended
    23TelnetCompletely unencrypted, should never be open
    25SMTPEmail relay abuse if misconfigured
    80HTTPUnencrypted web traffic
    443HTTPSExpected, but verify TLS configuration
    3306MySQLDatabase should never face the internet
    3389RDPTop target for ransomware attacks
    5432PostgreSQLDatabase should never face the internet
    6379RedisOften exposed without authentication
    8080HTTP AltDevelopment servers accidentally left running
    27017MongoDBFrequently found open with no auth

    How to audit your ports

    Method 1: Use a free port scanner

    CQwerty Shield's Port Scanner checks your domain for common open ports and identifies the services running on them.

    Method 2: Command line with nmap

    nmap -sV example.com

    The -sV flag probes open ports to determine service versions.

    Best practices

    1. Close unnecessary ports

    If a service does not need to be internet-facing, close the port. Use a firewall (iptables, ufw, or cloud security groups) to block access.

    2. Use a firewall

    Implement allow-list rules: block everything by default, then open only the ports you need. This is the single most effective step.

    3. Move management ports behind a VPN

    SSH (22), RDP (3389), and database ports should never be directly exposed to the internet. Require VPN access for administration.

    4. Keep services updated

    Patch every internet-facing service promptly. Subscribe to CVE feeds for the software you run.

    5. Change default ports for management services

    Moving SSH from port 22 to a non-standard port reduces automated scanning noise. This is not security in itself, but it cuts down brute force attempts significantly.

    6. Monitor continuously

    Ports can be opened accidentally by software updates, configuration changes, or new deployments. Scan regularly to catch drift.

    Key takeaways

  • Every open port is a potential attack vector
  • Databases, caches, and management interfaces should never face the internet
  • Use firewalls with allow-list rules, not block-list rules
  • Scan your own infrastructure before attackers do

    • Scan your ports now

    ShareTwitterLinkedInEmailRSS

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Free Port Scanner