QUICK ANSWER
You can check for open ports using an online port scanner or command-line tools like nmap. A port scan tests which of the 65,535 possible network ports on your server are accepting connections. Open ports that shouldn't be — like databases (3306, 5432), admin panels (8080), or development servers — are a serious security risk that attackers actively exploit.
Every server connected to the internet has 65,535 network ports. Some of these ports need to be open so that your website, email, and other services can receive connections. But many ports should be firmly closed. An open port that is not needed is an unnecessary risk, and an open port running an outdated or misconfigured service is an open door for attackers.
Automated bots scan the entire internet continuously, probing every publicly reachable IP address for open ports. They test known vulnerable services, default credentials, and unpatched software. If your database port is open to the internet, it will be found. Not possibly. Certainly. Often within hours of a new server coming online.
A port is a numbered endpoint for network communication on a server. When your browser loads a website, it connects to port 443 on the server (for HTTPS). When you send an email, your mail client connects to port 587 (for SMTP submission). Different services listen on different ports.
Think of an IP address as a building and ports as the doors into that building. Port 80 and 443 are the front door and need to be open. Port 3306 (MySQL) is a back room that should have its door locked to visitors.
Here are the ports you are most likely to encounter:
| Port | Service | Should it be public? |
|---|---|---|
| 21 | FTP (file transfer) | No. Use SFTP (port 22) instead. |
| 22 | SSH (secure shell) | Restrict to specific IPs only. |
| 25 | SMTP (email sending) | Usually, for mail servers only. |
| 53 | DNS (domain name system) | Yes, if running your own DNS. |
| 80 | HTTP (web traffic) | Yes, but redirect to HTTPS. |
| 443 | HTTPS (secure web traffic) | Yes. This is your website. |
| 3306 | MySQL database | Never. Should be localhost only. |
| 5432 | PostgreSQL database | Never. Should be localhost only. |
| 6379 | Redis cache | Never. Frequently exploited. |
| 8080 | Alternative HTTP / admin panels | Usually no. Often exposes admin UIs. |
| 8443 | Alternative HTTPS | Only if intentionally serving traffic. |
| 27017 | MongoDB | Never. Ransomware targets open MongoDB. |
For a typical web server, only these ports should be publicly accessible:
Everything else should be closed to the public internet or restricted to specific IP addresses. SSH (port 22) is often necessary for server administration, but it should be limited to your own IP address or accessed through a VPN, not open to the entire internet.
nmap is the industry-standard port scanning tool. It is free, open-source, and available for Linux, macOS, and Windows.
Basic scan of common ports:
nmap yourdomain.comScan the 1,000 most common ports:
nmap -sV yourdomain.comThe -sV flag probes open ports to determine the service and version running on them. This helps you identify outdated software.
Scan all 65,535 ports:
nmap -p- yourdomain.comThis takes longer but finds services running on non-standard ports. Some administrators try to "hide" services on unusual port numbers. This is called security through obscurity and it does not work. A full port scan finds them anyway.
If you do not have access to nmap or prefer a web-based tool, several online port scanners can check your server. PulseShield's free security scan includes port scanning alongside checks for security headers, SSL configuration, and cookie settings.
External scans show you what the internet can see. Internal scans show you what is actually running on your server. Both perspectives are valuable.
To see which services are listening on your Linux server:
sudo ss -tlnpor
sudo netstat -tlnpThis lists all listening TCP ports along with the process that opened them. Compare this list against what you expect to be running. Any unexpected service should be investigated.
If you find an open port that should not be there, take these steps:
Use sudo ss -tlnp or sudo lsof -i :PORT to find out which process is listening on the port. This tells you what service is running and whether it should be there at all.
If the service is a development server, a test database, or something else that should not be running on a production server, stop it:
sudo systemctl stop servicename
sudo systemctl disable servicenameIf the service needs to run but should not be publicly accessible, block external access using your server's firewall:
Using UFW (Ubuntu/Debian):
sudo ufw deny 3306/tcpUsing iptables:
sudo iptables -A INPUT -p tcp --dport 3306 -j DROPUsing cloud provider security groups (AWS, Azure, Google Cloud), remove the inbound rule for the port entirely.
If you need to access a service (like SSH) but do not want it open to the world, restrict it to specific IP addresses:
sudo ufw allow from YOUR_IP_ADDRESS to any port 22This ensures only connections from your IP address can reach the SSH port.
After making changes, run another port scan from outside your network to confirm the port is no longer visible. A port that appears closed from the outside but remains open internally is properly secured.
An exposed database is one of the most serious security risks. Attackers can attempt brute-force password attacks, exploit known vulnerabilities in the database software, or, in the case of MongoDB and Redis, access data without authentication if default configurations are in place.
MongoDB specifically has been the target of mass ransomware campaigns. Automated scripts scan for open MongoDB instances, export the data, delete the original, and leave a ransom note demanding payment for the data's return.
Redis is frequently deployed without authentication by default. An open Redis port can allow an attacker to read and write data, execute commands via Redis's Lua scripting, or even write SSH keys into the server's authorised_keys file to gain shell access.
Web-based admin panels (Tomcat, Webmin, cPanel, phpMyAdmin) are frequently left accessible on alternative HTTP ports. These panels often have authentication, but default credentials, known vulnerabilities, and weak passwords make them a common entry point.
FTP transmits credentials and data in plaintext. Anyone on the same network can intercept FTP traffic and capture usernames and passwords. Use SFTP (over SSH, port 22) or HTTPS-based file transfer instead.
SSH itself is secure when properly configured, but an SSH port open to the internet will be subjected to relentless brute-force attacks. Bots try thousands of common usernames and passwords around the clock. Mitigate this by:
PermitRootLogin no in sshd_config)Both perspectives matter. An internal scan (from the server itself) shows what services are running. An external scan (from the internet) shows what attackers can actually reach. A port can be open locally but blocked by a firewall, which means it is safe from external attack but still worth knowing about.
Conversely, a service that is only accessible from localhost (127.0.0.1) is generally safe from external attack, but you should still verify this with an external scan. Misconfigured firewalls or NAT rules can sometimes expose services you thought were internal-only.
PulseShield's free scan performs an external scan of your domain, checking which ports are visible from the internet. This gives you the attacker's perspective: exactly what they can see when they look at your server.
Run a free scan to see which ports are visible on your server, plus security headers, SSL, and more.
Free Security Scan