What Is a Port?
A port is a virtual endpoint in a network connection. When your browser connects to a website on port 443, or an email client connects to a mail server on port 587, it is using a numbered port to identify the specific service it wants to reach.
Ports 0–1023 are "well-known" ports reserved for standard services. Ports 1024–49151 are registered ports. Ports 49152–65535 are dynamic or private ports.
Why Open Ports Are a Risk
Every open port means a process is listening for incoming connections. If that process has a vulnerability, the open port is how attackers reach it. Each unnecessary open port expands your attack surface.
A principle of good server hardening is simple: if a port does not need to be open, close it.
High-Risk Ports to Watch
| Port | Service | Common Risk |
|---|---|---|
| 22 | SSH | Brute-force attacks; should be firewalled to known IPs only |
| 23 | Telnet | Unencrypted; should never be open on a public server |
| 3306 | MySQL | Database should never face the public internet |
| 5432 | PostgreSQL | Same as above |
| 3389 | RDP (Windows) | Common ransomware attack vector |
| 445 | SMB | EternalBlue/WannaCry exploit vector |
| 8080 | HTTP alt | Often a dev server accidentally left running in production |
How Attackers Use Port Scanning
Tools like Nmap and Masscan can scan the entire IPv4 address space for a specific port in under an hour. Automated bots continuously scan the internet looking for:
- SSH servers on port 22 → brute-force login attempts
- Redis servers on port 6379 with no authentication → immediate data theft
- Elasticsearch on port 9200 → unprotected databases exposed to the internet
If your server appears in one of these scans, attacks begin within minutes of the port opening.
How to Check Your Own Exposure
# Scan your own server from an external machine
nmap -sV -p 1-65535 your-server-ipOr use an online tool like Shodan (shodan.io) to see what your server looks like from the internet's perspective.
Mitigation Strategies
- Firewall first. Use
ufw,iptables, or cloud provider security groups to block all ports by default and only open what is needed. - Principle of least privilege. Web server? Open 80 and 443. SSH? Restrict to your IP range or use a VPN instead.
- Move SSH off port 22. Not true security, but it eliminates the vast majority of automated brute-force noise.
- Monitor. Use tools like Fail2Ban to detect and block port-scanning and brute-force activity in real time.
- Scan regularly. Re-run a port scan after every infrastructure change to catch accidental over-exposure.
Summary
Open ports are not inherently dangerous — they are how networked services work. The risk is in having more ports open than necessary, outdated or unpatched services listening on those ports, or no authentication protecting what is exposed. Treat your firewall as your first and most important layer of defence.