Why You Should Audit Your Open Ports
Every open port on your system is a potential entry point for attackers. Services you forgot about, software that auto-installs background services, or misconfigurations can leave ports open that you never intended to expose. Regular port audits are a fundamental security hygiene practice for both home networks and production servers.
Common discoveries during port audits include:
- Database ports (MySQL 3306, MongoDB 27017) accidentally exposed to the internet due to cloud firewall misconfiguration
- RDP (3389) enabled on a Windows machine that was accessed remotely once and never locked down again
- Old development servers still running in production
- UPnP-enabled applications opening ports without your knowledge
- Malware using high port numbers for command-and-control communication
The first step is knowing exactly what's open. Start with our port checker to see what ports are reachable on your public IP address, then investigate locally to understand why each open port exists.
Checking Open Ports on Your Own Machine
Several built-in OS tools reveal what's listening locally:
Windows:
# Show all listening TCP ports with process names
netstat -ano | findstr LISTENING
# Show active connections with process IDs
netstat -b -n
# Map PIDs to process names in PowerShell
Get-Process -Id (netstat -ano | Select-String LISTENING).Line.Split(" ")[-1] | Select-Object Id, NameLinux:
# Modern systems (ss is faster than netstat)
ss -tlnp # TCP listening ports with process info
ss -ulnp # UDP listening ports
ss -tlnp6 # IPv6 TCP listening ports
# Traditional netstat
netstat -tlnp
# Find what process owns a specific port
sudo lsof -i :8080
sudo fuser 8080/tcpmacOS:
sudo lsof -i -P | grep LISTEN
netstat -an | grep LISTENThe output shows the listening address (0.0.0.0 means accessible from anywhere; 127.0.0.1 means localhost only), port number, and the process name. Any service listening on 0.0.0.0 is reachable by other devices on your network (and potentially the internet if not firewalled).
Check Your Open Ports Right Now
Instantly see which ports are exposed on your public IP with our free port checker
Hide My IP NowUsing Nmap to Scan for Open Ports
Nmap (Network Mapper) is the industry-standard tool for port scanning. Install it on any OS from nmap.org. Key scan types:
# Scan most common 1000 ports on a target
nmap 192.168.1.100
# Scan all 65535 ports
nmap -p- 192.168.1.100
# Fast scan with service version detection
nmap -sV --open 192.168.1.100
# Scan your entire local network for open ports
nmap -sn 192.168.1.0/24 # discover hosts first
nmap -p 22,80,443,3389,3306 192.168.1.0/24 # check specific ports on all hosts
# Scan your own machine (no network required)
nmap -sS localhost # requires root/adminNmap interprets port states as:
- open — a service is actively listening and accepting connections
- closed — no service listening; the port responds with RST
- filtered — firewall is dropping probes; state is unknown
- open|filtered — common for UDP ports; can't determine if truly open
Important: only scan networks and systems you own or have explicit permission to scan. Unauthorized port scanning may violate computer fraud laws and terms of service.
Checking What's Exposed From the Internet
Local scans show what's listening, but don't tell you what's visible from the public internet. NAT on your router typically blocks most incoming connections. Use our port checker to scan your public IP address from the internet's perspective.
For automated external monitoring, several tools can regularly check your exposure:
- Shodan.io — searches its database of regular internet-wide scans for your IP. Free accounts can see basic open port information. Shows what attackers see.
- Censys.io — similar to Shodan with a research focus; provides detailed service banners for exposed ports.
- Our port checker — tests specific ports on-demand from our servers
Cloud server operators should also review their cloud provider's firewall (security group) rules. A common configuration mistake: adding a rule for 0.0.0.0/0 (all IPs) on port 3306 to debug a database connection issue and forgetting to remove it. Always use the principle of least privilege — open only the specific ports needed, to the specific source IPs that need them.
Closing Unnecessary Open Ports
Once you've identified which ports are open, work through closing any that shouldn't be exposed:
- Identify the owning service — use
lsof -i :PORTornetstat -tlnp | grep PORTto find which process uses each port - Disable or stop the service if not needed — on Linux:
systemctl stop servicename && systemctl disable servicename; on Windows: disable from Services console or Task Manager - Configure service to bind to localhost only — for databases (MySQL, PostgreSQL, Redis), change the bind address in the config file from 0.0.0.0 to 127.0.0.1
- Add firewall rules — use ufw on Linux (
ufw deny 3306), iptables for advanced rules, or Windows Defender Firewall - Disable UPnP — prevents applications from automatically opening ports; see our guide on UPnP
After making changes, re-scan with our port checker and locally with Nmap to verify the ports are actually closed. Firewalls can be bypassed if the service is still listening, so both stopping the service and adding a firewall rule provides defense in depth.
Frequently Asked Questions
Is it legal to scan ports on my own network?
Yes, scanning ports on networks and systems you own is entirely legal and is considered good security practice. Scanning systems you don't own without explicit permission is illegal in most jurisdictions under computer fraud laws. If you're a penetration tester, always get written authorization before scanning any target.
What does it mean if a port shows as 'filtered'?
A filtered port means a firewall is dropping or rejecting the probe packets — you can't tell from the outside whether anything is actually listening. From an attacker's perspective, filtered is better than closed (which at least confirms the port exists but nothing is listening). From an admin's perspective, filtered means your firewall is working as intended.
How can I check if a specific port is open from my terminal?
Several quick methods: <code>nc -zv example.com 443</code> (netcat — tests TCP connectivity to a specific port); <code>telnet example.com 443</code> (old-school but works); on Windows PowerShell: <code>Test-NetConnection example.com -Port 443</code>. These test connectivity from your machine, not visibility from the internet.
Why do I see high random port numbers in netstat output?
High-numbered ports (typically 49152–65535) in netstat output are usually ephemeral ports — temporary ports assigned by your OS for outbound connections. When your browser connects to a server, it uses an ephemeral source port. These are normal and not security concerns. Look specifically at ports in LISTENING state to find services waiting for incoming connections.
