Home
My IP
GPS
Find Me
Your Location
4️⃣IPv4:
📍...
6️⃣IPv6:
🌍...
🏢...
📌...
How-To Guides11 min read

Port Scanning Basics: Find and Fix Your Open Ports

Learn what network ports are, how port scanning works, and how to check your own open ports to close security gaps before someone else finds them.

By WhatIsMyLocation Team·Updated July 1, 2026
Port Scanning Basics: Find and Fix Your Open Ports

Summarise this article with:

Quick Answer

Port scanning is the process of probing a device's port numbers to see which ones are actively accepting connections. Used defensively, it is one of the simplest ways to confirm that your firewall is doing what you think it is. Run a scan against your own IP using our Port Scanner and you will immediately see which services are visible to the outside world.

Scan your own public IP to see what the internet can reach
Scan your own public IP to see what the internet can reach

What Are Network Ports?

Think of an IP address as a building's street address and ports as the individual suite numbers inside. A single server can run dozens of separate services at once because each one listens on a different port number.

Port numbers run from 0 to 65535 and fall into three categories defined by IANA (the Internet Assigned Numbers Authority):

RangeNameNotes
0-1023Well-Known (System) PortsStandardized services; binding requires root/admin privileges on most operating systems
1024-49151Registered (User) PortsAssigned by IANA to specific applications on request
49152-65535Dynamic (Ephemeral) PortsNever permanently assigned; your OS uses these for the outbound side of connections

Common Well-Known Ports

PortServiceProtocolWhat It Does
21FTPTCPFile transfer (largely superseded)
22SSHTCPEncrypted remote shell access
23TelnetTCPUnencrypted remote access (legacy, avoid)
25SMTPTCPOutbound email delivery
53DNSTCP/UDPDomain name resolution
80HTTPTCPUnencrypted web traffic
443HTTPSTCPEncrypted web traffic
3306MySQLTCPDatabase access
3389RDPTCPWindows Remote Desktop
445SMBTCPWindows file sharing

Registered ports add popular application services: 5432 (PostgreSQL), 8080 (alternative HTTP), 6379 (Redis), and hundreds more.

How Port Scanning Works

A scanner sends specially crafted packets to each port and reads the response to classify the port's state.

TCP and the Three-Way Handshake

Normal TCP connections follow three steps:

  1. SYN: Your machine sends a packet with the SYN flag set, proposing a connection.
  2. SYN-ACK: If something is listening, the target replies with SYN-ACK.
  3. ACK: Your machine confirms, and the connection opens.

If a port is closed, the target replies with a RST (reset) instead of SYN-ACK. If a firewall is silently dropping packets, you get no reply at all.

Scan Types You Will Encounter

TCP Connect Scan

The scanner completes the full three-way handshake for each port. Reliable and works without elevated privileges, but slow and logged by most services.

SYN Scan (Half-Open Scan)

The scanner sends only the SYN, and if it gets a SYN-ACK back, it immediately sends RST to tear down the half-open connection before it fully establishes. This is faster and generates fewer application-level log entries than a full connect scan. It requires raw-socket privileges (root on Linux, Administrator on Windows). Modern intrusion detection systems still catch it.

UDP Scan

UDP is connectionless, so scanning is trickier. The scanner sends a UDP packet; if the port is closed, the target returns an ICMP "port unreachable" message. If there is no response, the port is either open or filtered. UDP scanning is slow and results are often ambiguous, but it uncovers services that TCP scans miss entirely, including DNS (port 53), DHCP (ports 67/68), and SNMP (port 161).

FIN, NULL, and XMAS Scans

These send TCP packets with unusual flag combinations:

  • NULL scan: No flags set.
  • FIN scan: Only the FIN flag set.
  • XMAS scan: FIN, PSH, and URG flags set simultaneously (the "lit-up tree" name comes from the flag combination).

RFC 793 specifies that a closed port should respond to these probes with RST, while an open port should silently drop them. In practice, Windows and many Cisco devices send RST regardless of whether the port is open or closed, so these techniques work reliably only on Unix-like systems.

Three Port States and What They Mean

StateWhat HappenedSecurity Interpretation
OpenA service responded (SYN-ACK or a service-specific reply)Active listening service; every open port is a potential entry point
ClosedTarget replied with RST; no service is listeningNot an immediate risk, but confirms the host is reachable
FilteredNo reply; a firewall silently dropped the probeBest state for ports you do not want exposed: gives an attacker no useful information

What Open Ports Mean for Your Security

*The goal is not zero open ports. It is zero unexpected open ports.* Here is what to look for when you review your scan results.

Port 22 (SSH): When It Is Open

SSH is the correct tool for remote Linux/server access, but port 22 is under constant automated brute-force pressure. If it shows open on an internet-facing host:

  • Disable password authentication and require SSH key pairs only.
  • Disable direct root login (PermitRootLogin no).
  • Use fail2ban or a similar tool to ban IPs after repeated failures.
  • Consider a non-default port number to cut down automated scan noise (this is obscurity, not security, but it reduces log volume).

In my own testing, switching a public server to key-only auth dropped failed login attempts in the logs by more than 95% within 24 hours.

Port 23 (Telnet): When It Is Open

Close it. Telnet transmits everything, including credentials, as plain text. There is no legitimate modern use case for Telnet on an internet-facing system. Replace it with SSH.

Port 80 (HTTP): When It Is Open

Expected for web servers, but all traffic should redirect to HTTPS (port 443). If port 80 is open and serving content directly rather than issuing a 301 redirect, visitors may transmit data over an unencrypted connection without knowing it.

Port 443 (HTTPS): When It Is Open

Expected and generally fine for web servers. Confirm your server accepts only TLS 1.2 and TLS 1.3 connections. TLS 1.0 and 1.1 were formally deprecated by major vendors through 2025 and are vulnerable to known attacks including BEAST and POODLE. If you want to verify your certificate and protocol configuration, the SSL Checker is a quick sanity check. For a deeper read on what these protocol versions mean, see SSL/TLS Certificates Explained.

Port 3306 or 5432 (MySQL and PostgreSQL): When They Are Open

Database ports open to the public internet are a critical risk. Databases should bind to localhost (127.0.0.1) only and be reached via SSH tunnel or VPN, never directly from the internet. If you see these open on an external scan, treat it as urgent.

Port 3389 (RDP): When It Is Open

Recent incident-response reporting links exposed RDP to the majority of enterprise ransomware intrusions. Brute-force and credential-stuffing attacks against port 3389 are fully automated and constant. If you need Windows remote access, route it through a VPN first and never expose RDP directly. Multiple unauthenticated remote-code-execution vulnerabilities in the RDP service were disclosed in 2025 alone.

Ports 135, 137-139, 445 (Windows Services): When They Are Open

These ports handle Windows file sharing (SMB), NetBIOS, and RPC. They should never be reachable from the internet. The 2017 WannaCry ransomware attack spread using the EternalBlue exploit against SMB over port 445, causing billions of dollars in damage across 150 countries. Block these at your perimeter firewall.

How to Check Your Own Exposure

The fastest way to see what is visible from outside your network is to use our Port Scanner. It tests the most commonly exploited ports and tells you whether each one is open, closed, or filtered from an external vantage point.

My rule: run an external scan any time you make a firewall change, spin up a new service, or add a device to your network. It takes under a minute and catches misconfigurations before they become incidents.

For home routers and home networks:

  1. Find your public IP at /my-ip.
  2. Run the port scanner against that IP.
  3. If you see RDP (3389), SMB (445), or database ports open, check your router's port-forwarding rules and your device firewalls. Home routers do not typically forward these by default, so an unexpected open port usually means either a forwarding rule you forgot or UPnP automatically opening it.

Pair this with a review of your Wi-Fi security settings to make sure your internal network segments are also protected.

Best Practices for Keeping Your Attack Surface Small

1. Default-deny firewall policy. Block everything inbound, then explicitly allow only the ports your services actually need. Both iptables/nftables on Linux and Windows Defender Firewall support this approach natively.

2. Scan regularly. An open port that appeared last week can be the result of a software update enabling a service, a misconfigured UPnP rule, or someone adding a device. Weekly scans on internet-facing systems are reasonable; monthly is a minimum.

3. Network segmentation. Do not put IoT devices, servers, and workstations on the same flat network. Keep them on separate subnets with firewall rules controlling what can reach what. Even basic consumer routers support a guest VLAN for this purpose. This limits what an attacker can reach if one device is compromised.

4. Keep services patched. An open port running a patched, current service is significantly less dangerous than an open port running an unpatched one. Automate security updates where feasible.

5. Disable what you are not using. If a service is running but not needed, stop it and disable it from starting on boot. Fewer running services means fewer possible ports to inadvertently expose.

The Legality Line: Scan What You Own

Scanning your own systems is legal and recommended. It is a standard part of security auditing and no different in principle from checking whether your own front door is locked.

Scanning systems you do not own without explicit written permission is a different matter. In the United States, the Computer Fraud and Abuse Act (CFAA) can apply to unauthorized access including unauthorized scanning, even though the law does not name port scanning explicitly. In the United Kingdom, the Computer Misuse Act may treat unauthorized scanning as unauthorized access. Laws in other jurisdictions vary. The practical rule: get written permission before scanning anything that is not yours.

Common Questions

Is port scanning illegal?

Scanning your own systems is legal in virtually every jurisdiction and is a recommended security practice. Scanning systems you do not own without permission crosses into legally risky territory. In the US, the CFAA can be applied to unauthorized network access, and UK courts may treat unauthorized scanning as an offence under the Computer Misuse Act. When in doubt, get written authorization first.

How do I find out which ports are open on my own router or home network?

Use our Port Scanner from inside or outside your home network. For an external view (what the internet sees), go to /my-ip to get your public IP, then run the scanner against it. For an internal view (what devices on your network see), you would need a command-line tool like nmap installed on a device on your local network and scan your router's internal IP (typically 192.168.1.1 or 192.168.0.1).

What is the difference between a closed port and a filtered port?

A closed port actively responds with a TCP RST packet, telling you the host is reachable but nothing is running there. A filtered port returns no response at all, usually because a firewall is silently dropping the probe. Filtered is the more secure state: it gives a scanner no confirmation that the host even exists on that address.

Why does my port scanner show port 80 open even though I have a firewall?

Port 80 may be intentionally forwarded through your firewall to reach a web server, NAS device, router admin panel, or similar service on your network. Check your router's port-forwarding rules. If you did not set up a rule for port 80 and it still shows open, UPnP may have opened it automatically. Disable UPnP on your router unless you specifically need it, and add a manual rule for each port you actually intend to expose.

How do attackers use port scanning to find targets?

Attackers run automated scans across massive ranges of IP addresses, looking for open ports associated with vulnerable services. Exposed RDP on port 3389 and SMB on port 445 are frequent targets for ransomware delivery. Open database ports (3306, 5432) are probed for default or weak credentials. An exposed Telnet port on port 23 signals an older device that is unlikely to be patched. Understanding which ports draw the most automated attention is useful for prioritizing what to close first.

Sources

W

WhatIsMyLocation Team

Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.

Related Articles

Try Our Location Tools

Find your IP address, GPS coordinates, and more with our free tools.