AI QA Monkey
AI Security Intelligence
Fix Guide

Open Port Security: Find & Close Dangerous Ports

Published Feb 7, 2026 11 min read By AI QA Monkey Security Team
Table of Contents
  1. Why Open Ports Are Dangerous
  2. The Most Dangerous Open Ports
  3. How to Scan for Open Ports
  4. Firewall Rules: iptables
  5. Firewall Rules: ufw
  6. Firewall Rules: AWS Security Groups
  7. Service-Specific Hardening
  8. FAQ

Every open port on your server is a potential entry point for attackers. Shodan and Censys index billions of exposed services daily, and automated bots continuously scan the internet for open database ports, unprotected admin panels, and misconfigured services.

A single exposed MongoDB or Redis instance can lead to complete data exfiltration within minutes. In 2025, over 40,000 MongoDB instances were found exposed on the internet with no authentication — many were ransomed or wiped within hours of being indexed.

Related Guides

Also see: Firewall Hardening Guide: iptables, ufw & Cloud Security Groups, Open Port Remediation Playbook, Pre-Launch Security Checklist, and Website Security Checklist 2026.

Why Open Ports Are Dangerous

The most dangerous open ports aren't the ones you know about — they're the ones left open accidentally:

  • Development databases running on default ports that were never firewalled
  • Debug endpoints forgotten after deployment
  • Legacy services nobody remembers installing
  • Admin panels (phpMyAdmin, Adminer, Redis Commander) exposed to the internet

The Most Dangerous Open Ports

Database Ports CRITICAL

Port 27017 — MongoDB        (often no auth by default)
Port 6379  — Redis          (no auth by default, RCE possible)
Port 3306  — MySQL/MariaDB  (brute-force target)
Port 5432  — PostgreSQL     (brute-force target)
Port 9200  — Elasticsearch  (no auth by default, full data access)
Port 9042  — Cassandra      (often no auth)
Port 5984  — CouchDB        (REST API, often no auth)

Remote Access Ports HIGH

Port 22   — SSH             (brute-force target, CVE risk)
Port 3389 — RDP             (brute-force, BlueKeep CVE)
Port 5900 — VNC             (often weak/no password)
Port 23   — Telnet          (unencrypted, never use)

Web & Admin Ports HIGH

Port 8080  — HTTP Alt       (dev servers, admin panels)
Port 8443  — HTTPS Alt      (management interfaces)
Port 9090  — Various admin  (Cockpit, Prometheus)
Port 2082  — cPanel         (hosting control panel)
Port 10000 — Webmin         (server management)

Message Queue & Cache Ports MEDIUM

Port 11211 — Memcached      (DDoS amplification, data leak)
Port 5672  — RabbitMQ       (message queue access)
Port 9092  — Kafka          (message stream access)
Port 2181  — ZooKeeper      (cluster management)

How to Scan for Open Ports

External Scan (What Attackers See)

Use AI QA Monkey's free Open Port Scanner to see exactly what's exposed from the internet — the same perspective attackers have.

Local Scan with nmap

# Quick scan of common ports
nmap -sV your-server-ip

# Full scan of all 65535 ports with version detection
nmap -sV -p 1-65535 your-server-ip

# Scan specific dangerous ports
nmap -sV -p 22,23,3306,3389,5432,5900,6379,8080,9200,27017 your-server-ip

# Check what's listening locally
ss -tlnp
# or
netstat -tlnp

Firewall Rules: iptables

# ============================================
# iptables — Secure Server Configuration
# ============================================

# Flush existing rules (CAUTION: do this over console, not SSH)
iptables -F
iptables -X

# Default policy: DROP everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback (localhost)
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from specific IP only
iptables -A INPUT -p tcp --dport 22 -s YOUR_IP_ADDRESS -j ACCEPT

# Allow HTTP and HTTPS (web traffic)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block specific dangerous ports explicitly (defense in depth)
iptables -A INPUT -p tcp --dport 27017 -j DROP  # MongoDB
iptables -A INPUT -p tcp --dport 6379 -j DROP   # Redis
iptables -A INPUT -p tcp --dport 3306 -j DROP   # MySQL
iptables -A INPUT -p tcp --dport 5432 -j DROP   # PostgreSQL
iptables -A INPUT -p tcp --dport 9200 -j DROP   # Elasticsearch
iptables -A INPUT -p tcp --dport 11211 -j DROP  # Memcached

# Save rules (persist across reboots)
iptables-save > /etc/iptables/rules.v4

Firewall Rules: ufw (Ubuntu/Debian)

# ufw — Simplified Firewall Configuration

# Reset to defaults
sudo ufw reset

# Default: deny incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (from specific IP recommended)
sudo ufw allow from YOUR_IP_ADDRESS to any port 22

# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Explicitly deny dangerous ports
sudo ufw deny 27017/tcp  # MongoDB
sudo ufw deny 6379/tcp   # Redis
sudo ufw deny 3306/tcp   # MySQL
sudo ufw deny 5432/tcp   # PostgreSQL
sudo ufw deny 9200/tcp   # Elasticsearch
sudo ufw deny 3389/tcp   # RDP

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Firewall Rules: AWS Security Groups

# AWS Security Group — Web Server
# Inbound Rules:
# Type          Protocol  Port   Source
# HTTP          TCP       80     0.0.0.0/0
# HTTPS         TCP       443    0.0.0.0/0
# SSH           TCP       22     YOUR_IP/32 (specific IP only!)

# NEVER add these inbound rules:
# MySQL         TCP       3306   0.0.0.0/0  ← DANGEROUS
# MongoDB       TCP       27017  0.0.0.0/0  ← DANGEROUS
# Redis         TCP       6379   0.0.0.0/0  ← DANGEROUS
# All Traffic   All       All    0.0.0.0/0  ← EXTREMELY DANGEROUS

# AWS CLI — Remove dangerous rule
aws ec2 revoke-security-group-ingress \
  --group-id sg-12345678 \
  --protocol tcp \
  --port 27017 \
  --cidr 0.0.0.0/0

Service-Specific Hardening

MongoDB

# /etc/mongod.conf — Bind to localhost only
net:
  bindIp: 127.0.0.1
  port: 27017

security:
  authorization: enabled

# Create admin user
mongosh
use admin
db.createUser({
  user: "admin",
  pwd: "strong_password_here",
  roles: ["root"]
})

Redis

# /etc/redis/redis.conf
bind 127.0.0.1
protected-mode yes
requirepass your_strong_password_here

# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""
rename-command DEBUG ""

MySQL

# /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
bind-address = 127.0.0.1
skip-networking = 0

# Remove anonymous users and test database
mysql_secure_installation

SSH

# /etc/ssh/sshd_config
Port 2222                    # Change from default 22
PermitRootLogin no           # Disable root login
PasswordAuthentication no    # Use key-based auth only
MaxAuthTries 3               # Limit attempts
AllowUsers your_username     # Whitelist users

# Restart SSH
sudo systemctl restart sshd

Scan Your Ports Now

Free port scan — checks the most targeted ports and identifies exposed services in 60 seconds.

Scan Ports Now

Frequently Asked Questions

What are the most dangerous open ports?

Database ports: MongoDB (27017), Redis (6379), MySQL (3306), PostgreSQL (5432), and Elasticsearch (9200). These often have default configurations with no authentication.

How do I check for open ports on my server?

Use AI QA Monkey's free Open Port Scanner for an external scan, or nmap -sV -p 1-65535 your-server-ip for a local scan.

How do I close a port with iptables?

Use iptables -A INPUT -p tcp --dport PORT -j DROP. Always allow SSH from your IP first to avoid lockout.

Check Your Website Right Now

Run a free automated security scan — 75 checks in 60 seconds. No signup required.

Run Free Security Scan →

Related security guides