The Most Dangerous Open Ports and How Attackers Use Them
Why is RDP the most exploited open port?
RDP is the primary target for multiple reasons:
Full system access. A successful RDP login gives the attacker complete desktop access to the target machine - equivalent to sitting at the keyboard. From there, lateral movement, data exfiltration, and ransomware deployment are straightforward.
Brute-force susceptibility. Many RDP instances use password authentication with no account lockout policy. Automated tools like Hydra and NLBrute cycle through credential lists at thousands of attempts per minute. Credentials from data breaches make these attacks even more effective.
Critical vulnerabilities. BlueKeep (CVE-2019-0708) allowed unauthenticated remote code execution on RDP. Although patched in 2019, exposed RDP instances running unpatched Windows remain common.
Ransomware favourite. According to Sophos’s State of Ransomware 2024 report, compromised RDP credentials were the initial access vector in 30% of ransomware incidents. Attackers purchase stolen RDP credentials on dark web marketplaces for as little as a few pounds per system.
Which database ports should never be internet-facing?
| Port | Service | Risk When Exposed |
|---|---|---|
| 3306 | MySQL | Direct database access; default root with no password is common |
| 5432 | PostgreSQL | SQL injection to RCE if trust authentication is misconfigured |
| 27017 | MongoDB | Historically no authentication by default; mass data theft campaigns |
| 1433 | MS SQL Server | xp_cmdshell enables OS command execution from SQL |
| 6379 | Redis | No authentication by default; write access enables RCE |
| 9200 | Elasticsearch | REST API with no authentication; data exposure and deletion |
MongoDB is a cautionary example. In 2017, ransomware campaigns targeted thousands of internet-facing MongoDB instances that had no authentication enabled. Attackers deleted the data and left ransom notes. The same pattern has repeated with Redis and Elasticsearch instances.
What makes SSH exposure risky?
SSH is not inherently insecure - it is encrypted and well-designed. The risk comes from how it is deployed:
Brute-force attacks. An internet-facing SSH server receives thousands of login attempts per day from automated botnets. If password authentication is enabled with weak passwords, compromise is a matter of time.
Key management failures. SSH key authentication is secure when keys are properly managed. But shared keys, keys without passphrases stored on developer laptops, and keys that are never rotated create long-lived access that is difficult to revoke.
Vulnerability exposure. CVE-2024-6387 (regreSSHion) affected OpenSSH and allowed unauthenticated remote code execution under specific conditions. Internet-facing SSH instances were the primary target.
If SSH must be internet-facing, mitigate the risk: disable password authentication entirely, use key-based auth only, deploy fail2ban or similar rate limiting, use a non-standard port (obscurity is not security, but it reduces noise), and restrict source IPs where possible.
How dangerous is SMB exposure?
SMB has been responsible for some of the most destructive cyberattacks in history:
- WannaCry (2017) - used EternalBlue (CVE-2017-0144) to spread via SMB, encrypting files on over 200,000 computers in 150 countries
- NotPetya (2017) - also exploited EternalBlue via SMB, causing an estimated $10 billion in damages globally
- Ongoing exploitation - despite these high-profile incidents, Shodan consistently finds hundreds of thousands of SMB services exposed to the internet
SMB should be blocked at the perimeter firewall with no exceptions. Internal SMB traffic should be restricted to necessary segments.
How SurfaceLoop handles this
SurfaceLoop’s open port scanning identifies every TCP port accepting connections across your external attack surface. It flags dangerous services like RDP, SMB, and exposed databases, and alerts when new ports open on your infrastructure - whether from intentional changes or misconfiguration.
See Open Ports & Services feature →What should you do about open ports on your attack surface?
A practical approach:
- Inventory all open ports across your external attack surface using an EASM platform or port scanner
- Classify each port as intentionally public, intentionally restricted, or unknown/unexpected
- Close unnecessary ports at the firewall level - database ports, SMB, remote management interfaces
- Restrict access on ports that must remain open but should not be universally accessible (SSH, RDP) - use VPN, IP allowlisting, or zero-trust access
- Harden remaining services - patch software, enforce strong authentication, disable unnecessary features
- Monitor continuously - new ports opening unexpectedly may indicate misconfiguration, compromise, or shadow IT
Frequently asked questions
- Which open port is most dangerous? +
- RDP (port 3389) is consistently one of the most dangerous ports to expose to the internet. It provides full graphical desktop access, is frequently targeted by brute-force attacks, and has a history of critical vulnerabilities including BlueKeep (CVE-2019-0708). RDP exposure is a leading initial access vector in ransomware attacks.
- Should port 22 (SSH) be open to the internet? +
- Ideally no. While SSH is more secure than many alternatives, exposing it to the internet invites constant brute-force attempts. If SSH must be internet-facing, use key-based authentication only, disable password login, use a non-standard port, and restrict access by IP address where possible.
- Are open ports always a security risk? +
- Not inherently. A web server must have ports 80 and 443 open to function. The risk comes from exposing services that should not be public (databases, admin panels, remote access), running unpatched software on open ports, or using weak authentication on exposed services.
- How do attackers discover open ports? +
- Attackers use port scanning tools like Nmap, Masscan, and Zmap to systematically probe IP addresses for open ports. Internet-wide scanning services like Shodan and Censys continuously scan the entire IPv4 address space, indexing every open port and service they find. An open port is discoverable within hours of being exposed.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.