How to Check Open Ports and Why Unsecured Ports Are a Hacker's Gateway
What Are Network Ports?
Network ports are logical communication endpoints that allow a single IP address to manage multiple simultaneous connections and services. Every device connected to a network has an IP address, but that address alone is not sufficient to direct traffic to the correct application or service running on the device. Ports solve this problem by providing a numerical identifier — ranging from 0 to 65535 — that maps incoming and outgoing data to the specific process that should handle it. Without ports, a web server and an email server running on the same machine would have no way to distinguish which packets belong to which service.
The port numbering system is divided into three distinct ranges, each governed by conventions established by IANA (Internet Assigned Numbers Authority). Well-known ports (0–1023) are reserved for system-level and widely-used services such as HTTP on port 80, HTTPS on port 443, and SSH on port 22. These ports typically require elevated privileges on Unix-like operating systems. Registered ports (1024–49151) are assigned by IANA to specific applications and services upon request — for example, MySQL operates on port 3306 and PostgreSQL on port 5432. Dynamic or ephemeral ports (49152–65535) are used temporarily by client applications when initiating outbound connections, and are assigned by the operating system on an as-needed basis.
When a client connects to a server, it specifies both the destination IP address and the destination port number. The server's operating system uses the combination of the IP address and port — known as a socket — to route the incoming data to the correct process. A single server can listen on multiple ports simultaneously, each served by a different application. For instance, a machine might run a web server on port 443, an SSH daemon on port 22, and a database on port 5432, all at the same time without conflict.
Ports operate at the transport layer of the TCP/IP model, and they are used by both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP ports establish reliable, connection-oriented sessions with guaranteed delivery and ordering, making them ideal for web traffic, email, and file transfers. UDP ports, by contrast, provide connectionless, best-effort delivery without guarantees, which is suitable for DNS queries, streaming media, and online gaming where speed matters more than reliability. A port is considered open when a service is actively listening on it and accepting connections — and it is precisely these open ports that represent both the functional backbone of network communication and the primary target of network-based attacks.
The 15 Most Common Ports — Services, Uses & Risk Levels
Port Reference and Risk Assessment
Understanding which ports are commonly used — and which pose the greatest security risks — is foundational to network security. The following table covers the 15 most frequently encountered ports on the internet, along with the services they host, their legitimate use cases, and the level of risk each port presents when exposed to the public internet. Security professionals and system administrators should use this as a reference when conducting port audits and hardening network configurations.
| Port | Protocol | Service | Risk Level | Description & Primary Threats |
|---|---|---|---|---|
| 20 | TCP | FTP Data | High | File transfer data channel. Transmits data in cleartext with no encryption. Often paired with port 21 for FTP control. Vulnerable to packet sniffing and man-in-the-middle attacks. |
| 21 | TCP | FTP Control | High | FTP command channel. Credentials are sent in plaintext, making them interceptable. Anonymous FTP access is commonly misconfigured, allowing unauthorized file access. |
| 22 | TCP | SSH | Medium | Secure shell for encrypted remote administration. Generally safe when properly configured, but frequently targeted by brute-force attacks. Default port is often scanned by automated botnets. |
| 23 | TCP | Telnet | Critical | Unencrypted remote terminal access. All data, including login credentials, is transmitted in plaintext. Should never be exposed to the internet under any circumstances. |
| 25 | TCP | SMTP | Medium | Simple Mail Transfer Protocol for email relay. Commonly abused for open relay spam if misconfigured. Also used in phishing infrastructure. Should only be open on dedicated mail servers. |
| 53 | TCP/UDP | DNS | Medium | Domain Name System resolution. UDP 53 is exploited for DNS amplification DDoS attacks. TCP 53 is used for zone transfers, which should be restricted to authorized secondaries only. |
| 80 | TCP | HTTP | Medium | Unencrypted web traffic. All data is transmitted in cleartext. Should redirect to HTTPS (port 443) in modern configurations. Vulnerable to session hijacking and content injection. |
| 110 | TCP | POP3 | High | Post Office Protocol for email retrieval. Credentials and messages transmitted in plaintext unless POP3S (port 995) is used. Vulnerable to credential interception. |
| 135 | TCP | RPC | Critical | Microsoft Remote Procedure Call. Essential for Windows domain environments but extremely dangerous when exposed to the internet. Exploited by worms and ransomware for lateral movement. |
| 139 | TCP | NetBIOS | Critical | NetBIOS Session Service for Windows file sharing. Legacy protocol that should never be exposed publicly. Provides attacker access to share enumeration and null session exploitation. |
| 143 | TCP | IMAP | Medium | Internet Message Access Protocol for email. Plaintext by default — use IMAPS (port 993) instead. Vulnerable to credential sniffing on unsecured networks. |
| 443 | TCP | HTTPS | Low | Encrypted web traffic via TLS/SSL. The standard for secure web communication. Must remain open for web services, but ensure TLS configuration follows best practices (TLS 1.2+ only). |
| 445 | TCP | SMB | Critical | Server Message Block for Windows file and printer sharing. The primary vector for WannaCry ransomware via the EternalBlue exploit. Should never be exposed to the public internet. |
| 3306 | TCP | MySQL | High | MySQL database server. Should only be accessible locally or through SSH tunnels. Exposed MySQL instances are prime targets for data exfiltration, credential brute-forcing, and SQL injection at the network level. |
| 3389 | TCP | RDP | Critical | Remote Desktop Protocol for Windows remote access. Heavily targeted by brute-force and credential-stuffing attacks. The BlueKeep vulnerability (CVE-2019-0708) allows unauthenticated remote code execution. Must be behind VPN if used remotely. |
These 15 ports represent the vast majority of both legitimate network traffic and attack targets on the internet. According to research from Shodan, the internet's largest port scanning engine, ports 443, 80, and 22 are the most commonly found open ports across all internet-facing hosts, while ports 445, 3389, and 135 are the most frequently exploited. A study by Rapid7 found that over 40% of internet-exposed RDP services and 30% of exposed SMB services have critical vulnerabilities that could allow remote code execution without authentication.
Why Open Ports Are Dangerous
Minimizing Your Attack Surface
Every open port on a system represents a door through which an attacker can attempt to gain entry. The fundamental principle of network security is minimizing the attack surface — and open ports are the most direct component of that surface. When a service listens on a port, it advertises its presence to anyone who probes that IP address, and if the service has a known vulnerability, a default configuration, or weak credentials, that port becomes an immediate point of exploitation. The danger is not merely theoretical: according to Verizon's Data Breach Investigations Report, exploitation of internet-facing services through open ports accounts for a significant percentage of all data breaches each year.
The risk posed by open ports is compounded by several factors. First, many services run with default configurations that prioritize convenience over security — default credentials, unnecessary features enabled, and verbose error messages that reveal system information. Second, administrators often open ports for temporary purposes and forget to close them, creating orphaned services that receive no security updates or monitoring. Third, even services that are intentionally exposed may contain zero-day vulnerabilities that have not yet been patched by the vendor. The Equifax breach of 2017, which exposed the personal data of 147 million people, was caused by an unpatched vulnerability in Apache Struts running on an internet-facing port.
The consequences of leaving unnecessary ports open can be severe and far-reaching. Attackers who gain access through an open port can install ransomware that encrypts critical business data, exfiltrate sensitive customer information leading to regulatory penalties under GDPR and CCPA, establish persistent backdoors for future access, or recruit the compromised server into a botnet for launching DDoS attacks against other targets. In enterprise environments, a single exposed port can serve as the initial foothold for an attacker to move laterally across the entire network, as demonstrated by the NotPetya attack of 2017 which caused over $10 billion in damages globally after exploiting SMB port 445 on a single compromised machine.
Beyond direct exploitation, open ports also enable information disclosure. Service banners often reveal software versions, operating system details, and even internal hostnames. This intelligence allows attackers to craft targeted exploits specific to the exact software version running on the port. Additionally, misconfigured services on open ports can leak data directly — for example, exposed Elasticsearch (port 9200) or MongoDB (port 27017) instances have resulted in massive data breaches where databases were discovered with no authentication required, exposing millions of records to anyone who connected to the port.
How to Check Open Ports
Regularly auditing open ports is a critical component of any network security program. You should check which ports are open on your systems at least monthly for production environments and immediately after any configuration changes. There are multiple methods to check open ports, ranging from simple local commands to comprehensive external scans, and each provides a different perspective on your security posture.
Local Port Checks
Local checks show which services are listening on a machine from the inside. These are useful for verifying your own server configuration, but they do not reflect what an external attacker would see (firewall rules may block some of these ports from the outside).
# Linux: Show all listening ports with process names
sudo ss -tulpn
# Alternative using netstat (older systems)
sudo netstat -tulpn
# macOS: Check listening ports
sudo lsof -i -P -n | grep LISTEN
# Windows: Show listening ports and process IDs
netstat -ano | findstr LISTENINGThe ss -tulpn command is the most informative option on modern Linux systems. The flags break down as follows: -t shows TCP sockets, -u shows UDP sockets, -l shows only listening sockets, -p shows the process using each socket, and -n prevents DNS resolution for faster output. Look for entries in the "Local Address:Port" column — these represent every port currently accepting connections on the system.
External Port Scans
External scans show which ports are visible from the internet — exactly what an attacker would see. This is the most security-relevant type of scan because it accounts for firewall rules and network address translation (NAT). Using an online port scanner like the one available at ippulsepro.com/port-scanner provides the most accurate picture of your external attack surface, since the scan originates from outside your network.
# Nmap: Scan all 65535 ports on a target
nmap -p- target-ip
# Nmap: Scan with service version detection
nmap -sV -p 1-65535 target-ip
# Nmap: Quick scan of top 100 common ports
nmap -F target-ip
# Nmap: Scan specific ports
nmap -p 22,80,443,3306,3389 target-ip
# Nmap: Aggressive scan with OS detection
nmap -A -p- target-ipFor the most accurate security assessment, you should perform both local and external scans and compare the results. Ports that appear in local scans but not in external scans are protected by your firewall. Ports that appear in both represent your true external attack surface and should be carefully audited. If you find ports open externally that you did not expect, investigate immediately — they may indicate a misconfiguration, an unauthorized service, or a compromise.
Scan Your Open Ports
Instantly discover which ports are open on any IP address and identify security vulnerabilities.
Use sudo ss -tulpn on Linux or netstat -ano | findstr LISTENING on Windows to see which services are listening on your system. Document every port and the process associated with it.
Use an online port scanner like IP Pulse Pro's Port Scanner or Nmap from an external network to see which ports are visible from the internet. This reveals your true attack surface, accounting for firewall rules and NAT.
Ports open locally but not externally are protected by your firewall. Ports visible both locally and externally form your attack surface. Any unexpected externally-open ports require immediate investigation.
For every open port, document the service, its purpose, and its owner. Close any port that doesn't have a documented business need. For services that must remain open, ensure they are patched, configured securely, and monitored.
Port Scanning Techniques
Common Scanning Methods
Port scanning is the process of systematically probing a target host to determine which ports are open, closed, or filtered. Security professionals use port scanning to audit their own networks, while attackers use it for reconnaissance. Understanding scanning techniques helps you both conduct effective security assessments and understand how attackers enumerate your infrastructure.
The industry-standard tool for port scanning is Nmap (Network Mapper), which supports a wide range of scan types. The most important techniques include:
- TCP SYN Scan (Half-open scan) — The default and most popular Nmap scan type (
nmap -sS). It sends a SYN packet and waits for a response. A SYN-ACK indicates the port is open, while a RST indicates it is closed. This technique is called "half-open" because it never completes the TCP handshake, making it faster and stealthier than a full connection scan. It is the recommended scan type for most security assessments. - TCP Connect Scan (
nmap -sT) — Completes the full TCP three-way handshake. This is the default scan type when Nmap runs without root privileges. It is more detectable because the connection is fully established and logged by the target service, but it is more reliable when SYN scans are blocked. - UDP Scan (
nmap -sU) — Scans for open UDP ports by sending empty UDP headers and analyzing responses. UDP scanning is significantly slower than TCP scanning because open UDP ports may not respond at all, requiring timeouts. However, it is essential for detecting services like DNS (53), SNMP (161), and NTP (123) that operate over UDP and are commonly exploited in amplification attacks. - TCP ACK Scan (
nmap -sA) — Used to determine firewall rules, not to find open ports. It sends ACK packets and analyzes whether the response indicates the port is filtered by a firewall. This is invaluable for mapping your network perimeter and verifying that firewall rules are working as expected. - Service Version Detection (
nmap -sV) — Probes open ports to determine the service and version running on them. This information is critical for vulnerability assessment, as known exploits target specific versions of software. Nmap's service detection can identify the application name, version number, and even the operating system of the target. - OS Fingerprinting (
nmap -O) — Uses TCP/IP stack analysis to identify the target's operating system. This helps attackers tailor their exploits and helps defenders verify that systems are running expected and patched operating systems.
When conducting port scans for security auditing, always follow a structured methodology. Start with a fast scan of common ports (nmap -F) to get a quick overview, then perform a full port scan (nmap -p-) to ensure no unexpected services are hiding on non-standard ports. Follow up with service version detection (nmap -sV) on any open ports found, and document the results for comparison against future scans. Automated scanning tools and continuous monitoring platforms can alert you when new ports appear unexpectedly.
How to Close Unnecessary Ports
Closing unnecessary ports is one of the most impactful security improvements you can make, and it should be the first step in any system hardening process. The principle is straightforward: if a service is not needed, it should not be running, and if it is needed but only internally, it should not be exposed to the internet. The process involves both stopping the underlying service and ensuring firewall rules block external access.
Closing Ports on Linux
On Linux systems, you need to identify the process using the port and then either stop the service or reconfigure it to listen only on internal interfaces. Use sudo ss -tulpn to find the process, then take appropriate action:
# Identify what's using a port
sudo ss -tulpn | grep :3306
# Stop a service (e.g., MySQL)
sudo systemctl stop mysql
sudo systemctl disable mysql # Prevent auto-start on boot
# Block a port using UFW (Ubuntu/Debian)
sudo ufw deny 3306/tcp
sudo ufw deny 23/tcp
# Block a port using iptables
sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
sudo iptables-save > /etc/iptables/rules.v4 # Persist rules
# Block a port using firewalld (RHEL/CentOS)
sudo firewall-cmd --permanent --add-port=3306/tcp
sudo firewall-cmd --permanent --remove-port=3306/tcp
sudo firewall-cmd --reloadFor services that need to remain running but should only be accessible locally, reconfigure the service to bind to 127.0.0.1 instead of 0.0.0.0. For example, in MySQL's configuration file, set bind-address = 127.0.0.1 to ensure the database only accepts connections from the local machine. Remote access should be provided through SSH tunnels or a VPN rather than directly exposing the port.
Closing Ports on Windows
Windows systems require a different approach, focusing on the Windows Defender Firewall and service management:
# View all listening ports and their processes
netstat -ano | findstr LISTENING
# Block a port using Windows Firewall (PowerShell as Admin)
New-NetFirewallRule -DisplayName "Block Telnet" -Direction Inbound -Protocol TCP -LocalPort 23 -Action Block
# Block RDP from external access
New-NetFirewallRule -DisplayName "Block RDP External" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress Any -Action Block
# Disable a Windows service
Stop-Service -Name "Telnet" -Force
Set-Service -Name "Telnet" -StartupType DisabledClosing Ports in Cloud Environments
Cloud environments add an additional layer of security groups and network access control lists (NACLs) that control port access. In AWS, for example, security groups act as virtual firewalls at the instance level. A common misconfiguration is creating security group rules with 0.0.0.0/0 (all IP addresses) as the source for sensitive ports like SSH, RDP, and database ports. Instead, restrict access to specific IP addresses or CIDR ranges that need it. In Azure, Network Security Groups (NSGs) serve the same purpose, and Google Cloud uses VPC firewall rules. Always apply the principle of least privilege: only allow traffic from the minimum set of sources necessary for the service to function correctly.
Firewall Basics
Types of Firewalls
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls are the primary mechanism for controlling which ports are accessible from the network, and understanding how they work is essential for anyone responsible for system or network security. There are several types of firewalls, each operating at a different layer of the network stack and offering different capabilities.
Packet-filtering firewalls operate at the network layer and make decisions based on source/destination IP addresses, port numbers, and protocols. They are fast but cannot inspect the content of packets. iptables and UFW on Linux are examples of packet-filtering firewalls. These firewalls use rules that specify whether to allow or deny traffic based on these basic header fields, and they process rules in order until a match is found.
Stateful firewalls track the state of network connections and make decisions based on the context of the traffic. They understand that a response to an outbound request should be allowed, even if no explicit rule permits inbound traffic on that port. Most modern firewalls, including Windows Defender Firewall and cloud security groups, are stateful. This is why you typically only need to configure inbound rules — outbound responses are automatically permitted.
Application-layer firewalls (also called web application firewalls or WAFs) operate at the application layer and can inspect the actual content of HTTP requests. They can detect and block SQL injection, cross-site scripting, and other application-level attacks that would pass through a packet-filtering firewall. Cloudflare, AWS WAF, and ModSecurity are examples of application-layer firewalls.
| Firewall Type | OSI Layer | Inspection Depth | Performance | Best For |
|---|---|---|---|---|
| Packet-filtering | Layer 3-4 | IP, port, protocol only | Very fast | Basic port blocking, network segmentation |
| Stateful | Layer 3-4 | Connection state tracking | Fast | Most network perimeter security |
| Application-layer | Layer 7 | Full payload inspection | Slower | Web application protection, API security |
| Next-gen (NGFW) | Layer 3-7 | Deep packet inspection, IPS | Moderate | Enterprise perimeter, threat prevention |
Default-Deny: The Golden Rule of Firewalls
The most important firewall configuration principle is default-deny: start by denying all inbound traffic, then explicitly allow only the specific ports and sources that are required. This "whitelist" approach is far more secure than the "blacklist" approach of allowing everything and then trying to block known-bad traffic. Your firewall rules should be documented, regularly reviewed, and tested to ensure they are functioning as intended. Conduct periodic firewall rule audits to identify and remove stale rules, overly permissive rules, and rules that conflict with security policies.
For personal systems, enabling the built-in operating system firewall is a simple but effective measure. On Linux, enable UFW with sudo ufw enable and configure it to deny incoming traffic by default with sudo ufw default deny incoming. On Windows, ensure Windows Defender Firewall is turned on for all network profiles. On macOS, enable the firewall in System Preferences under Security & Privacy. These basic steps, combined with closing unnecessary ports, provide a strong foundation for network security that eliminates the vast majority of automated attack vectors targeting internet-facing services.
Try Port Scanner Tool
Scan any IP address for open ports and security vulnerabilities — free online port scanner.
Frequently Asked Questions
Related Articles
Password Security in 2026: How to Create, Manage, and Audit Unbreakable Passwords
From password managers to passkeys, learn the current best practices for creating strong passwords, managing credentials securely, and auditing your accounts for breaches.
Website Security Scanner: How to Audit Your Website's Security Headers in 60 Seconds
Most websites fail basic security header checks. Learn the 10 essential headers, how to audit them, and how to fix misconfigurations.
How to Check SSL Certificate: Verify HTTPS Security in 5 Ways
Learn how to check SSL/TLS certificates using online tools, browser inspection, and command line. Verify certificate validity, chain of trust, and security configuration.