Security Guide

Open port security

An open port means a service accepted a network connection. That can be normal for websites, but risky for private admin tools and databases.

What an open port means

Ports are numbered communication endpoints. A website normally listens on 80 or 443. SSH commonly listens on 22. Mail, databases, remote desktop and control panels use other ports. When a port is open from the public internet, outside clients can try to connect to the service behind it.

Open does not automatically mean unsafe. A public website needs an open HTTPS port. The question is whether the service is intended to be public, patched, authenticated, monitored and protected by firewall rules or access controls.

Ports that deserve caution

22 SSHRemote server administration.Use keys, disable weak passwords and restrict access when possible.
3389 RDPWindows remote desktop.Avoid public exposure without VPN or strong controls.
3306 / 5432MySQL and PostgreSQL.Databases should usually not be public.
6379 / 9200Redis and Elasticsearch.Public exposure can be dangerous if not secured.
80 / 443Web traffic.Expected for websites, but still needs updates and HTTPS.

How to reduce risk

  1. Close services that do not need public access.
  2. Bind private services to localhost or private interfaces.
  3. Use firewall allowlists for admin ports.
  4. Prefer VPN or private network access for management tools.
  5. Keep server software updated.
  6. Use logs and rate limits to detect repeated attempts.

Use Port Check from outside your own network to verify what the public internet can reach. If you expected a port to be closed but it appears open, review router forwarding, cloud security groups, host firewall rules and service bind addresses.

FAQ

Is an open port always dangerous?

No. Public websites require open ports. Risk depends on what service is exposed and how it is secured.

Why does a port show closed even though my app is running?

The service may listen only locally, the firewall may block it, DNS may point elsewhere, or the provider may filter the port.

Should database ports be public?

Usually no. Databases should normally be restricted to private networks, VPNs or trusted application servers.

Can carrier-grade NAT block incoming ports?

Yes. If your ISP uses carrier-grade NAT, inbound port forwarding may not work from your home router.

Does HTTPS mean the server is fully secure?

No. HTTPS protects transport, but application security, updates, authentication and firewall rules still matter.