SECURITY GUIDE

Port Scanner: Identify Exposed Services and Attack Surface

How TCP port scanning works, which services to look for, and how to reduce your server's attack surface.

TCP ports: your server's entry points

Every network service listens on one or more TCP (or UDP) ports: the web server on port 80 (HTTP) and 443 (HTTPS), SSH on 22, SMTP on 25, the database on 3306 (MySQL) or 5432 (PostgreSQL). Every open port is a potential entry point for an attacker: if the service has a vulnerability, the open port enables its exploitation. The golden rule of network security is the principle of least privilege: expose only the strictly necessary ports.

The Port Scanner performs a systematic scan of a host's TCP ports, identifying which are open (a service responds), closed (no service, the host responds with RST) or filtered (no response, a firewall blocks traffic). For each open port, it identifies the associated service and, where possible, the software version. This information is the starting point for any security audit or server hardening.

Which ports to check

Common ports and associated services
$ port-scan --host esempio.com

PORT    STATO     SERVIZIO
22/tcp  open      SSH (OpenSSH 8.9)
80/tcp  open      HTTP (nginx/1.24)
443/tcp open      HTTPS (nginx/1.24)
3306/tcp filtered MySQL
5432/tcp closed   PostgreSQL
8080/tcp open     HTTP-Proxy ← non necessario?

Porte aperte: 4 | Filtrate: 1 | Chiuse: 1

For a web server, the necessary ports are typically only 80 and 443. SSH (22) should be accessible only from authorized IPs via firewall or VPN. Database ports (3306, 5432, 27017) should never be exposed to the Internet. Ports like 8080, 8443, 3000, 9090 often indicate development services or admin panels that should not be public. Also check email ports (25, 587, 993, 995) only on servers that handle mail.

Hardening and attack surface reduction

After scanning, act on every unnecessary open port: disable unused services and configure the firewall to block traffic. On Linux, use ufw or iptables to create whitelist rules (deny all, then explicitly allow only necessary ports). Verify the configuration with a new scan. For SSH, consider changing the port (from 22 to another), key-only authentication, and fail2ban to block brute-force attempts.

Complete the security audit by checking the SSL certificate on HTTPS ports with SSL Check and HTTP security headers with Security Headers. For email servers, also verify they are not open relays with Open Relay Test. A server with only necessary ports open, updated services, and hardened configuration is significantly more resistant to attacks than one with default configuration.

Port scanning should be a regular practice, not a one-time event. Every software update, every new installation, every configuration change can open new ports. Automate periodic scans and compare results with the baseline to identify unauthorized changes. A service appearing where it shouldn't be is an alarm signal that deserves immediate investigation.

Try Port Scanner for free
Scan open TCP ports and identify active services
Use Port Scanner >

Explore the Network

capops.io Free tools for DevOps & SysAdmin — monitoring, deploy, CI/CD, server management and more Visit → pixcode.io Free graphic tools — image converter, color palette generator, SVG optimizer and more Visit →