Open Ports: Which Ones Are Dangerous and How to Close Them
Not all open ports are a problem, but some should never be exposed to the internet. Learn which ports are dangerous, why, and how to close them safely.
What is an open port?
Every service running on a server listens on a network port. An open port means that traffic from the internet can reach that service. While some ports need to be open (like 443 for HTTPS), many services should never be internet-facing.
Why open ports are dangerous
An open port is a potential entry point for attackers. Common attacks include:
- Brute force attacks -- automated tools try thousands of username/password combinations
- Exploitation of known vulnerabilities -- attackers look for unpatched services
- Information disclosure -- service banners reveal software versions
- Denial of service -- overwhelming a service with requests
Ports that should NEVER be exposed to the internet
| Port | Service | Risk |
|---|---|---|
| 22 | SSH | Brute force attacks, credential stuffing |
| 23 | Telnet | Unencrypted, deprecated -- close immediately |
| 3306 | MySQL | Direct database access, data theft |
| 5432 | PostgreSQL | Direct database access, data theft |
| 3389 | RDP | Remote desktop, primary ransomware entry point |
| 6379 | Redis | Often runs without auth, full data access |
| 27017 | MongoDB | Often runs without auth, full data access |
| 9200 | Elasticsearch | Often runs without auth, full data access |
| 445 | SMB | WannaCry and similar ransomware entry point |
| 1433 | MSSQL | Direct database access |
Ports that are usually fine
| Port | Service | Notes |
|---|---|---|
| 80 | HTTP | Fine if it redirects to 443 |
| 443 | HTTPS | Always fine for web services (check TLS health) |
| 25 | SMTP | Only if you run your own mail server |
| 587 | SMTP (submission) | For sending email via your mail server |
How to close an open port
On Linux (ufw)
# Block a specific port
sudo ufw deny 3306
# Block a port from all sources except a specific IP
sudo ufw deny 3306
sudo ufw allow from 192.168.1.10 to any port 3306
# Check current rules
sudo ufw status numbered
On Linux (iptables)
# Block port 3306 from all external traffic
sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
On cloud providers
- AWS: Edit the Security Group associated with your EC2 instance, remove the inbound rule for the port
- Azure: Edit the Network Security Group, remove or deny the inbound rule
- Google Cloud: Edit the Firewall Rule, remove the port from the allowed list
On the service itself
Closing the port in the firewall is the best approach. But you can also configure the service to only listen on localhost instead of all interfaces:
MySQL example (/etc/mysql/mysql.conf.d/mysqld.cnf):
bind-address = 127.0.0.1
Redis example (/etc/redis/redis.conf):
bind 127.0.0.1
SSH: How to secure it instead of closing it
SSH needs to be accessible for server management, but exposing it to the entire internet is risky. Better approaches:
- Restrict to known IPs -- only allow SSH from your office or home IP
- Use SSH keys -- disable password authentication entirely
- Change the port -- not security through obscurity, but reduces automated scanning noise
- Use a VPN -- put SSH behind a VPN so it is not internet-facing at all
How SurfaceScan helps
SurfaceScan performs port scanning on all your IPs on every scan. It flags high-risk ports (database ports, RDP, Telnet) as findings with risk badges and recommended actions in the Open Ports section.
Related articles
How to Set Up DKIM for Your Domain
DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.
TLS Certificate Expired: How to Fix and Prevent
An expired TLS certificate causes browser security warnings. Learn how to renew it quickly with Let's Encrypt or commercial CAs, and prevent it from happening again.