What are open ports?
Every service running on a server listens on a port — a numbered channel through which network traffic flows. When a port is open and reachable from the internet, it means the service behind it is directly accessible to anyone, anywhere.
ExposureIndex scans your internet-facing IP addresses and identifies which ports are open and what service is likely running behind each one. Open ports that are not expected — or that run services that should not be publicly exposed — are flagged as findings.
Why does it matter?
Every open port is a potential entry point. Services have vulnerabilities. Attackers continuously scan the entire internet looking for known-vulnerable service versions on open ports. The time between a new vulnerability being published and the first automated exploit attempts is often measured in hours.
The principle of minimising attack surface says: if a port does not need to be open, close it.
Common findings and what to do
Remote administration ports (SSH / RDP / WinRM)
Ports: SSH on 22, RDP on 3389, WinRM on 5985/5986
These are frequently attacked via brute-force and credential stuffing. They should never be exposed directly to the public internet.
Fix:
- Place behind a VPN — Staff connect to VPN first, then SSH/RDP to the server. The port appears closed to all other traffic.
- Use a bastion host — A single hardened jump server is the only publicly accessible SSH endpoint. All other servers are accessed only from the bastion.
- IP allowlisting — Firewall rules permit access only from known office or admin IP addresses. Less ideal than VPN as office IPs can change.
- Change the default port — Moving SSH from 22 to a non-standard port reduces automated scanning noise but provides no real security. Do this in addition to, not instead of, the above.
If you must keep SSH open, at minimum:
- Disable password authentication; use key pairs only
- Enable fail2ban or equivalent to block brute-force attempts
- Disable root login (PermitRootLogin no in /etc/ssh/sshd_config)
Database ports (MySQL / PostgreSQL / MongoDB / Redis)
Ports: MySQL 3306, PostgreSQL 5432, MongoDB 27017, Redis 6379
Databases should never be directly reachable from the public internet. Exposing them has resulted in some of the largest data breaches on record.
Fix: Configure your firewall (or security group in cloud environments) to block these ports from all external traffic. Databases should only accept connections from the application servers that need them, on the internal network.
Unencrypted service ports (HTTP, FTP, Telnet)
Ports: HTTP on 80, FTP on 21, Telnet on 23
Unencrypted protocols transmit credentials and data in plaintext. Anyone on the network path can read them.
Fix: - HTTP (80): Redirect all traffic to HTTPS. Keep port 80 open only for the redirect and for Let's Encrypt ACME challenges. - FTP (21): Replace with SFTP (over SSH, port 22) or FTPS. - Telnet (23): Replace with SSH entirely.
Unexpected or unknown services
If ExposureIndex finds a port open that you do not recognise, treat it seriously. It may indicate:
- A forgotten or unmanaged server
- A service installed without the administrator's knowledge
- Malware establishing a backdoor
Fix: Identify the process listening on the port (ss -tlnp or netstat -tulnp on Linux), determine whether it is legitimate, and either harden or remove it.
How to audit and close ports
Linux (using ss):
ss -tlnp # show listening TCP ports and which process owns them
Firewall rules (UFW):
ufw deny 3306 # block MySQL from all external sources
ufw allow from 10.0.0.0/8 to any port 22 # allow SSH only from internal range
Cloud environments: Use your cloud provider's security group or firewall rules (AWS Security Groups, GCP Firewall Rules, Azure NSG) as the primary control. These act before traffic even reaches your server.
Last updated: March 28, 2026