Network · Ports

Open Port Checker

Check open ports on any domain or IP address. Scan common services like HTTP, HTTPS, SSH, SMTP, FTP, and MySQL from the public internet.

Checking common ports from the public internet... this can take a few seconds.

What is an open port?

An open port accepts incoming connections because a service is listening on it. Web servers, mail servers, remote access tools, and databases all rely on specific ports to communicate.

Open

A service accepted the connection. The port is reachable from outside and actively listening.

Closed

The system responded, but no service is listening on that port.

Timeout

No reply — often a firewall or packet filter dropping traffic silently.

Why open ports matter for security

Every reachable service increases your public attack surface. Not every open port is a problem, but each one should be expected, patched, monitored, and restricted.

Exposure and risk

Attackers routinely scan the internet for exposed SSH, RDP, databases, mail, and web interfaces. Outdated or weakly configured services become targets.

Useful for audits

External checks are useful after firewall changes, migrations, DNS cutovers, cloud deployments, or routine security reviews.

Which open ports are normal?

Not every open port is a vulnerability. The question is whether the service is expected, necessary, and protected.

Usually normal

Ports 80 and 443 are normal for public websites. SMTP ports may be expected for mail infrastructure.

Depends on context

SSH on port 22 may be expected for admin, but is safer limited to trusted IPs, VPN, or jump hosts.

Often higher risk

Exposed database ports, remote desktop, and legacy file transfer deserve closer review and stronger controls.

Common ports we check

The services most commonly associated with these ports.

HTTP / HTTPS

80, 443

Standard ports for public websites. Port 80 is HTTP and 443 is HTTPS — often expected open on web servers.

FTP

21

Used for file transfer. Older, and often replaced by more secure SFTP or SCP.

SSH

22

Secure remote administration of Linux/Unix systems. If public, it should be tightly restricted.

SMTP

25

Mail transfer. Expected on dedicated mail systems, but worth reviewing elsewhere.

MySQL

3306

Database service — safer restricted to internal networks, VPNs, or trusted IP ranges.

RDP

3389

Remote access to Windows. Publicly exposed RDP needs special care — a common attack target.

High-risk open ports to review

Some ports deserve extra review — commonly tied to administration, remote access, or direct service exposure.

21

FTP

Legacy file transfer exposure can be risky if not secured properly.

22

SSH

Remote admin should usually be limited to trusted IPs or VPN access.

3306

MySQL

Public database access often deserves tighter network restrictions.

3389

RDP

Remote Desktop is reviewed closely because of its administrative exposure.

Compliance

Open ports and Canadian security compliance

Unnecessary public exposure is one of the simplest ways systems become easier to target. For Canadian organizations, reducing that exposure supports good security hygiene and the broader expectation to use appropriate technical safeguards.

PIPEDA does not prescribe a fixed list of approved or prohibited ports, but it does require safeguards appropriate to the sensitivity of the information handled. Reviewing unnecessary open ports, remote access services, and exposed databases is part of that mindset.

Publicly reachable admin interfaces, remote access tools, and database ports should generally be exposed only with a specific operational need and layered protections in place.

How to close unused ports

If a port is open and you don't expect it, review the service and the network controls protecting it.

Review firewall rules

Check host firewalls, cloud security groups, and network ACLs so only intended ports are allowed.

Disable unused services

If a service is no longer needed, stop and disable it so it does not reopen a port after a restart.

Restrict admin access

Remote admin is safer limited to trusted IPs, VPN access, bastion hosts, or private network paths.

Check NAT and forwarding

Router port forwarding, load balancers, and old migration settings can leave services reachable.

Answers

Frequently asked questions

What is an open port?

An open port is a network port that accepts incoming connections because a service is actively listening on it.

Is an open port always a security risk?

No. Some open ports are necessary for websites, email, and remote services. The real question is whether the service is expected, secure, updated, and properly restricted.

What ports does this checker scan?

This open port checker scans a set of common ports associated with web, mail, remote access, and database services.

Can I scan a domain name instead of an IP address?

Yes. You can scan either a domain or a public IP address to see whether the selected common ports are reachable from the internet.

What does a timeout mean in a port scan?

A timeout usually means the target did not reply at all. This often suggests a firewall or filtering rule is silently dropping the traffic.

What does a closed port mean?

A closed port means the host is reachable, but no service is listening on that specific port.

Should MySQL port 3306 be public?

Usually not. Database services are often safer when restricted to internal networks, VPN access, or trusted IP ranges instead of broad public exposure.

Why scan ports from an external tool?

An external port check helps show what a public visitor or attacker may be able to reach from outside your network, which can differ from what you see internally.