← Back to blog
2026-04-14·6 min read

Open Ports and Security: What You Need to Know

What are ports?

Every networked device communicates through numbered ports. Think of your server's IP address as a building's street address, and ports as individual doors. Each door leads to a different service: port 80 for HTTP, port 443 for HTTPS, port 22 for SSH, port 25 for email.

There are 65,535 ports available. Each one that is open and listening is a potential entry point for attackers.

Why open ports are a security risk

An open port means a service is running and accepting connections. If that service has a vulnerability, an attacker can exploit it. The more ports you expose, the larger your attack surface.

Common risks:

  • **Unpatched services** — outdated software on open ports with known CVEs
  • **Default credentials** — services running with factory passwords (databases, admin panels)
  • **Information disclosure** — service banners revealing software versions
  • **Brute force attacks** — SSH and RDP ports targeted with automated password guessing
  • **Lateral movement** — internal services accidentally exposed to the internet

    • Commonly targeted ports

    | Port | Service | Risk |

    |------|---------|------|

    | 21 | FTP | Unencrypted file transfer, often misconfigured |

    | 22 | SSH | Brute force target, key-based auth recommended |

    | 23 | Telnet | Completely unencrypted, should never be open |

    | 25 | SMTP | Email relay abuse if misconfigured |

    | 80 | HTTP | Unencrypted web traffic |

    | 443 | HTTPS | Expected, but verify TLS configuration |

    | 3306 | MySQL | Database should never face the internet |

    | 3389 | RDP | Top target for ransomware attacks |

    | 5432 | PostgreSQL | Database should never face the internet |

    | 6379 | Redis | Often exposed without authentication |

    | 8080 | HTTP Alt | Development servers accidentally left running |

    | 27017 | MongoDB | Frequently found open with no auth |

    How to audit your ports

    Method 1: Use a free port scanner

    [CQwerty Shield's Port Scanner](/tools/port-scanner) checks your domain for common open ports and identifies the services running on them.

    Method 2: Command line with nmap

    nmap -sV example.com

    The -sV flag probes open ports to determine service versions.

    Best practices

    1. Close unnecessary ports

    If a service does not need to be internet-facing, close the port. Use a firewall (iptables, ufw, or cloud security groups) to block access.

    2. Use a firewall

    Implement allow-list rules: block everything by default, then open only the ports you need. This is the single most effective step.

    3. Move management ports behind a VPN

    SSH (22), RDP (3389), and database ports should never be directly exposed to the internet. Require VPN access for administration.

    4. Keep services updated

    Patch every internet-facing service promptly. Subscribe to CVE feeds for the software you run.

    5. Change default ports for management services

    Moving SSH from port 22 to a non-standard port reduces automated scanning noise. This is not security in itself, but it cuts down brute force attempts significantly.

    6. Monitor continuously

    Ports can be opened accidentally by software updates, configuration changes, or new deployments. Scan regularly to catch drift.

    Key takeaways

  • Every open port is a potential attack vector
  • Databases, caches, and management interfaces should never face the internet
  • Use firewalls with allow-list rules, not block-list rules
  • Scan your own infrastructure before attackers do

    • [Scan your ports now](/tools/port-scanner)

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Free Port Scanner