How to read an open port (and when to actually worry)
An 'open port' isn't a vulnerability by itself — it's information. Here's how to tell whether a port being open is fine, suspicious, or actively dangerous, and what to do about each case.
When a port scanner reports port 3389 open, the meaningful next question is not "is this open?" but "what's supposed to be there, and is what's supposed to be there actually there?". This article walks through that question — the one the port reference table exists to answer.
The three-tier reading of 'port X is open'
- Tier 1 — Fine, that's the service. Port 443 open and you're running a public HTTPS server? Expected. Port 22 on a server you admin via SSH? Expected. These are ports that are supposed to be open. You don't have a problem.
- Tier 2 — Open, but shouldn't be on this network. Port 445 (SMB) open on a public-facing cloud VM that doesn't host file shares? That's someone looking for a Windows share to enumerate. Port 3306 (MySQL) on a server that shouldn't expose a database at all? Investigation time. These ports aren't vulnerabilities by themselves, but their presence says this service is reachable when it shouldn't be — and that's how most cloud-hosted ransomware starts.
- Tier 3 — Open AND exposed AND exploitable. Port 2375 (Docker API, unauthenticated) open on the public internet? Root-as-a-service. Port 9200 (Elasticsearch) without auth? Data exfil in one request. Port 6379 (Redis) without auth? Historically RCE-as-a-service. The CVE database for these three is a long list. These are fires, not warnings.
What the 'risk' labels in our reference actually mean
The table's risk column is opinion, not fact. It's the usual posture — "if you see this open on something you didn't intend, here's what category of problem you're in." Five tiers, ordered:
- Info — open ports that are normally expected on whatever system is serving them. SSH on a server, HTTPS on a web box.
- Low — second-tier ports that are legitimate services on alternate ports. Should be open if you're running that service; audit if not.
- Medium — services that aren't dangerous on their own but are commonly misconfigured. Worth knowing about, not panicking about.
- High — open exposure of these on a public network is a real problem. Either move them behind a VPN, firewall them to a known IP range, or harden the auth.
- Critical — historically RCE / data-loss vectors. If you see one of these open on the public internet and you didn't explicitly configure it that way in 2024+, act now, not later.
Three things the table doesn't tell you
- What's actually listening on the port. Port 8080 being open doesn't tell you it's Tomcat vs Jenkins vs a custom dev server. The reference says "8080: HTTP-Alt, Tomcat/Jenkins/dev server" — but if you find it open, you still need to visit the page or run a banner grab to know which one.
- Whether the service is locked down. SSH on port 22 isn't the risk — it's SSH with password auth on port 22, exposed, with weak creds. The reference doesn't grade configurations; it grades the port. Always check the service's own security posture, not just whether the TCP handshake completes.
- Where the port scanner was when it saw the port. Internet-scanning tools like Shodan and Censys read the public internet. A LAN-scanning tool reads your internal network. The two give you the same "port is open" answer for very different exposure surfaces. Whether a port being open is a problem depends on which network the scanner is running from.
Reading the local probe results
When the probe returns a port as open, that's a TCP connect that completed — something is listening on that port on whatever address the probe dialed. When it returns closed, the host responded to the SYN with a RST — there's no listener. When it returns filtered, the SYN went out and nothing came back before the 1.5-second timeout. Filtered is the firewall case.
If you're reading this from a coffee shop and the probe says your ports are filtered — that's the coffee shop's firewall doing its job. If you're reading this from your home and it shows three ports open (80, 443, 22 — say), and those are your router, your NAS's GUI, and a CCTV panel you forgot was running — that's the next hour of your weekend, not a five-second fix.
Open the tool, scan your own machine, and cross-reference anything you don't recognize:Open Port Reference & Local Probe.
Keep reading
- How to check DNS propagation (and how long it actually takes)Just changed an A record and your friend in another country still sees the old site? That's DNS propagation. Here's how to verify when it's actually done — and how long it can take.
- How to do a DNS lookup (and why you'd want to)DNS lookups are the first step in almost every network troubleshooting flow. Here's how they work, the record types that matter, and how to run them from your browser.
- Subnet calculator cheatsheet: CIDR, masks, and host countsA quick-reference for IPv4 subnet math — how to read a CIDR, what the mask actually means, and the easy way to count usable hosts.