Port Scanning Basics: Finding Open Ports and What They Mean
Every time you browse a website, send an email, or stream a video, your computer communicates through numbered doors called ports. Understanding ports and how to scan for open ones is a foundational skill for anyone interested in network security, system administration, or simply understanding how the internet works.
This guide covers what ports are, how port scanning works technically, what commonly open ports mean, and how to use scanning responsibly to secure your own network.
What Are Network Ports?
Think of an IP address as a street address for a building, and ports as the individual apartment numbers inside that building. A single server with one IP address can run dozens of different services, each listening on a different port number.
Port numbers range from 0 to 65535 and are divided into three categories:
Well-Known Ports (0-1023)
These are reserved for common, standardized services. They require administrator or root privileges to bind to on most operating systems. Examples include:
| Port | Service | Protocol | Purpose |
|---|---|---|---|
| 20, 21 | FTP | TCP | File Transfer Protocol |
| 22 | SSH | TCP | Secure Shell (remote access) |
| 23 | Telnet | TCP | Unencrypted remote access (legacy) |
| 25 | SMTP | TCP | Sending email |
| 53 | DNS | TCP/UDP | Domain name resolution |
| 80 | HTTP | TCP | Web traffic (unencrypted) |
| 110 | POP3 | TCP | Receiving email |
| 143 | IMAP | TCP | Receiving email |
| 443 | HTTPS | TCP | Web traffic (encrypted) |
| 993 | IMAPS | TCP | Encrypted email retrieval |
| 995 | POP3S | TCP | Encrypted email retrieval |
Registered Ports (1024-49151)
These are assigned by IANA (Internet Assigned Numbers Authority) to specific applications. Examples include port 3306 for MySQL, port 5432 for PostgreSQL, port 3389 for Remote Desktop Protocol (RDP), and port 8080 for alternative HTTP.
Dynamic/Private Ports (49152-65535)
These are used for temporary connections. When your browser connects to a website on port 443, your side of the connection uses a random ephemeral port from this range. The operating system assigns these automatically and releases them when the connection closes.
How Port Scanning Works
Port scanning is the process of sending specially crafted packets to a range of port numbers on a target host and analyzing the responses to determine which ports are open, closed, or filtered.
TCP Three-Way Handshake
To understand port scanning, you first need to understand how TCP connections are established:
- SYN: Your computer sends a TCP packet with the SYN (synchronize) flag set to the target port.
- SYN-ACK: If the port is open and a service is listening, the target responds with SYN-ACK (synchronize-acknowledge).
- ACK: Your computer completes the handshake by sending an ACK packet. The connection is now established.
If the port is closed, the target sends back a RST (reset) packet instead of SYN-ACK. If the port is filtered by a firewall, you may receive no response at all.
Common Scan Types
TCP Connect Scan
This is the simplest and most reliable scan type. It completes the full three-way handshake for each port being tested. If the handshake completes, the port is open. If a RST is received, the port is closed.
Pros: Very reliable, works without special privileges, logged by the target system.
Cons: Slow, easily detected by intrusion detection systems, leaves connection logs on the target.
SYN Scan (Half-Open Scan)
Often called a "stealth scan," a SYN scan sends only the initial SYN packet. If a SYN-ACK is received (port is open), the scanner sends a RST to tear down the connection before it completes. The connection never fully establishes.
Pros: Faster than connect scans, less likely to be logged by application-level logging.
Cons: Requires raw socket privileges (root/admin), still detected by modern firewalls and IDS.
UDP Scan
UDP scanning is trickier because UDP is connectionless. The scanner sends a UDP packet to each port. If an ICMP "port unreachable" message comes back, the port is closed. If there is no response, the port is either open or filtered. Some services will send a UDP response, confirming the port is open.
Pros: Can discover services that TCP scans miss (DNS, DHCP, SNMP, VPN).
Cons: Very slow, unreliable due to rate-limiting of ICMP messages, often ambiguous results.
FIN, NULL, and XMAS Scans
These scan types send TCP packets with unusual flag combinations:
- FIN scan: Sets only the FIN flag
- NULL scan: Sets no flags at all
- XMAS scan: Sets FIN, PSH, and URG flags (like a lit-up Christmas tree)
According to the TCP specification, a closed port should respond to these packets with a RST, while an open port should silently drop them. This can help identify open ports behind firewalls that only filter SYN packets.
Limitation: These techniques do not work against Windows systems, which send RST for both open and closed ports regardless of flag combinations.
Using Our Port Scanner
You can quickly check the most important ports on any host using our Port Scanner. It tests common service ports and reports which are open, closed, or filtered. This is particularly useful for:
- Verifying that your firewall rules are working correctly
- Checking whether services you have configured are actually accessible
- Identifying unexpected open ports on your network
For a more thorough scan of your own systems, you can combine our online scanner with command-line tools for deeper analysis.
What Open Ports Mean for Security
Every open port is a potential entry point. Here is what specific open ports imply and when they should concern you:
Port 22 (SSH) - Open
SSH is generally safe if properly configured with key-based authentication, but it is a prime target for brute-force attacks. If you see port 22 open on a system, ensure:
- Password authentication is disabled (use SSH keys only)
- Root login is disabled
- The SSH version is up to date
- Consider using fail2ban to block repeated failed attempts
- Consider changing the SSH port to a non-standard number to reduce automated scanning noise
Port 23 (Telnet) - Open
This is a red flag. Telnet transmits everything, including passwords, in plain text. If Telnet is open on any system you manage, close it immediately and use SSH instead. There is no legitimate modern use case for Telnet on a production system.
Port 80 (HTTP) - Open
Expected for web servers, but all traffic should be redirected to HTTPS (port 443). If port 80 is open, make sure it only serves a 301 redirect to the HTTPS version. Having port 80 open without a redirect means visitors may unknowingly transmit data over an unencrypted connection.
Port 443 (HTTPS) - Open
This is expected and generally safe for web servers. Ensure the TLS certificate is valid and the server supports modern TLS versions (1.2 and 1.3 only). Older protocols like TLS 1.0 and 1.1 have known vulnerabilities.
Port 3306 (MySQL) or 5432 (PostgreSQL) - Open
Database ports should almost never be open to the public internet. If you see these ports open on an internet-facing server, it is a critical security risk. Databases should listen only on localhost (127.0.0.1) or be accessible only through a VPN or SSH tunnel.
Port 3389 (RDP) - Open
Remote Desktop Protocol open to the internet is one of the most common attack vectors for ransomware. RDP brute-force attacks are automated and constant. If you need remote access, use a VPN first and then connect to RDP through the VPN tunnel. Never expose RDP directly to the internet.
Ports 135, 137-139, 445 (Windows Services) - Open
These ports handle Windows file sharing (SMB), NetBIOS, and RPC services. They should never be accessible from the internet. The WannaCry ransomware exploited SMB on port 445 and caused billions of dollars in damage worldwide. Ensure your firewall blocks these ports from external access.
Port States Explained
When scanning ports, you will encounter three possible states:
Open
A service is actively listening and accepting connections on this port. The port responded to the scan with a SYN-ACK (for TCP) or a service-specific response (for UDP).
Closed
No service is listening on this port. The port responded with a RST packet, indicating the host is reachable but nothing is running on that port. Closed ports are not a security concern, but they do confirm the host is alive and reachable.
Filtered
No response was received, meaning a firewall or packet filter is blocking the probe. You cannot determine whether the port is open or closed because the filter prevents the scanner from reaching it. This is actually the most secure state, as it gives an attacker no information about whether a service exists.
Best Practices for Port Security
1. Minimize Your Attack Surface
Only open ports that are absolutely necessary. Every open port is a potential vulnerability. If you are running a web server, you typically only need ports 80, 443, and 22 (for administration).
2. Use a Firewall
Configure your firewall with a default-deny policy: block everything, then explicitly allow only the ports you need. Both iptables/nftables (Linux) and the built-in Windows Firewall support this approach.
3. Regular Scanning
Scan your own systems regularly to detect unauthorized changes. Use our Port Scanner for quick external checks and schedule more thorough internal scans on a weekly or monthly basis.
4. Network Segmentation
Do not put all devices on the same network. Separate IoT devices, servers, and workstations into different subnets with firewall rules controlling traffic between them.
5. Keep Services Updated
An open port running an outdated service is significantly more dangerous than an open port running a patched, current version. Automate security updates where possible.
Legal and Ethical Considerations
Port scanning your own systems is perfectly legal and a recommended security practice. However, scanning systems you do not own without explicit written permission may violate computer misuse laws in many jurisdictions, including the Computer Fraud and Abuse Act in the United States and the Computer Misuse Act in the United Kingdom.
Always get written authorization before scanning anyone else's network, even if your intentions are purely educational.
Key Takeaways
- Ports are numbered endpoints (0-65535) that allow multiple services to run on a single IP address
- Port scanning sends crafted packets to determine which ports are open, closed, or filtered
- Open ports are potential attack vectors and should be minimized
- Critical ports like SSH (22), databases (3306/5432), and RDP (3389) require special attention
- Use our Port Scanner regularly to audit your own systems
- Never scan systems you do not own without explicit permission
Related Articles:
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.