Open Ports and Exposed Services: What They Reveal
How open ports expose your organisation to attack. Covers port scanning, common risky services, and how to reduce your external exposure.
What are open ports and why do they matter for security?
The TCP/IP protocol uses 65,535 port numbers to route network traffic to the correct service on a machine. When a port is “open,” a service is actively listening for connections on that port. When a port is “closed,” no service is running. When a port is “filtered,” a firewall is blocking access.
From a security perspective, every open port is a door. Some doors need to be open — port 443 for your website, port 25 for your mail server. The risk comes from doors that are open unnecessarily, open without the owner’s knowledge, or open to services that are misconfigured or unpatched.
According to the Verizon 2025 Data Breach Investigations Report, exploitation of internet-facing services was the initial access vector in 20% of confirmed breaches. Many of these exploited services were running on ports that should have been firewalled or decommissioned.
How do attackers find open ports?
Port scanning is fast, free, and almost entirely automated:
Active scanning. Tools like Nmap, Masscan, and ZMap send packets to target IP addresses and analyse the responses. A SYN scan — the most common type — sends a TCP SYN packet to each port and classifies it as open (SYN-ACK response), closed (RST response), or filtered (no response). Masscan can scan the entire IPv4 internet on a single port in under six minutes.
Passive discovery. Platforms like Shodan, Censys, and BinaryEdge continuously scan the internet and index their results in searchable databases. An attacker does not need to scan your infrastructure directly — they can search Shodan for org:"Your Company" port:3306 and instantly see if you have a MySQL server exposed.
Banner grabbing. Once an open port is found, attackers extract the service banner — the text a service sends when a connection is established. Banners reveal software names, version numbers, and sometimes operating system details. This information is used to identify known vulnerabilities (CVEs) affecting that specific software version.
The speed and automation of modern port scanning means that any new port you expose is typically discovered by automated scanners within hours of opening.
How SurfaceLoop handles this
SurfaceLoop scans your domains and IP ranges for open ports continuously, detecting new services as they appear. Each open port is fingerprinted to identify the running software and checked against known vulnerability databases. You see the full picture of your external port exposure alongside risk classifications and remediation guidance.
See Open Ports & Services feature →Which open ports are most dangerous?
Not all open ports carry equal risk. A web server on port 443 is expected and typically hardened. A database on port 3306 is a different matter entirely.
| Port | Service | Risk When Exposed |
|---|---|---|
| 22 | SSH | Brute-force attacks against credentials, exploitation of unpatched OpenSSH versions |
| 23 | Telnet | Unencrypted traffic, default credentials on network devices |
| 445 | SMB | EternalBlue and related exploits, ransomware propagation |
| 3389 | RDP | Brute-force and credential stuffing, BlueKeep-class vulnerabilities |
| 3306 | MySQL | Direct database access, data exfiltration |
| 5432 | PostgreSQL | Direct database access, privilege escalation |
| 27017 | MongoDB | Unauthenticated access (default config), ransomware via data deletion |
| 6379 | Redis | No authentication by default, arbitrary command execution |
| 161 | SNMP | Community string guessing, network reconnaissance |
| 9200 | Elasticsearch | Unauthenticated data access, index manipulation |
According to Rapid7’s 2024 Attack Surface Report, exposed RDP and SSH services accounted for over 60% of all brute-force attacks observed across their sensor network. Databases exposed without authentication — particularly MongoDB and Redis — were compromised within hours of exposure in controlled experiments.
What services should never be exposed to the internet?
A useful rule: if a service is designed for internal use, it should not be reachable from external networks. The following categories should always be behind a VPN, IP allowlist, or zero-trust access proxy:
- Databases — MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch, Memcached. Direct database access from the internet is never required for normal operations and enables immediate data theft.
- Remote access — RDP, VNC, Telnet. These provide full interactive access to the machine and are the most common initial access vector for ransomware operators.
- Management protocols — SNMP, IPMI, WMI. These expose configuration and monitoring capabilities that attackers use for reconnaissance and lateral movement.
- CI/CD and build systems — Jenkins, GitLab runners, TeamCity. Build systems can execute arbitrary code, making them equivalent to root access.
- Container orchestration — Kubernetes API, Docker API, Portainer. Exposed container management interfaces allow attackers to deploy their own workloads.
How do you find open ports on your own infrastructure?
There are two approaches to discovering your own open ports:
Manual scanning. Use Nmap to scan your known IP ranges:
nmap -sS -p- --open -T4 203.0.113.0/24This performs a SYN scan across all 65,535 ports on a /24 network and reports only open ports. For larger ranges, Masscan offers significantly faster scanning.
Continuous EASM scanning. Manual scans provide a point-in-time snapshot. EASM platforms scan continuously, catching new ports as they open and alerting when previously closed services become exposed. This is critical because infrastructure changes happen constantly — deployments, cloud scaling events, and configuration changes can expose ports at any time.
The key principle is to scan from outside your network. Internal firewall rules and access control lists may not reflect what is actually reachable from the internet. Misconfigurations, overlapping rules, and cloud security group changes can expose ports that administrators believe are firewalled.
How do you close unnecessary open ports?
Remediation follows a consistent process:
- Inventory all open ports. Run an external scan and document every open port, the service running on it, and who is responsible for that service.
- Classify each port. Is this service needed? Does it need to be accessible from the internet, or only from internal networks? Who uses it?
- Close unnecessary ports. Stop the service or add a firewall rule to drop inbound traffic. In cloud environments, remove the port from the security group or network ACL.
- Restrict necessary ports. For services that need external access (such as SSH for remote administration), restrict access to specific source IP addresses or require VPN connectivity.
- Patch and harden remaining services. Every service on an open port should run the latest version, use strong authentication, and follow vendor hardening guides.
- Monitor continuously. New ports will appear as infrastructure evolves. Continuous scanning ensures new exposures are caught before attackers find them.
The most common mistake is treating port remediation as a one-time exercise. Infrastructure changes daily. A continuous scanning programme catches new exposures as they emerge, turning port security from a periodic audit into an ongoing operational practice.
Frequently asked questions
- What is an open port? +
- An open port is a network endpoint that accepts incoming connections from the internet. Each open port runs a service -- such as a web server on port 80 or SSH on port 22 -- and represents a potential entry point for attackers if the service is misconfigured, unpatched, or running unnecessary software.
- How do attackers find open ports? +
- Attackers use port scanning tools like Nmap, Masscan, and ZMap to probe IP addresses for open ports. Internet-wide scanning platforms like Shodan and Censys index open ports across the entire IPv4 address space, making discovery trivial for anyone with a browser.
- Which ports are most dangerous to leave open? +
- Ports running remote access services (SSH on 22, RDP on 3389, Telnet on 23), database services (MySQL on 3306, PostgreSQL on 5432, MongoDB on 27017), and management interfaces (SNMP on 161, SMB on 445) are among the most dangerous when exposed to the public internet.
- How many open ports does a typical organisation have? +
- It varies widely. A small business may have 5-20 open ports across its external IP range. Mid-market organisations commonly have 50-200. Organisations with legacy infrastructure, cloud sprawl, or multiple business units often have far more -- many of which are unknown to the security team.
- How do I check what ports are open on my infrastructure? +
- You can scan your own IP addresses using tools like Nmap or use an EASM platform like SurfaceLoop to continuously discover and monitor open ports across all your domains and IP ranges. External scanning gives the most accurate picture because it shows what attackers can actually reach.
- Should I close all open ports? +
- No -- some ports must remain open for legitimate services (port 443 for HTTPS, port 25 for email). The goal is to close unnecessary ports, restrict access to management ports via VPN or IP allowlist, and ensure every open port runs patched, properly configured software.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.