Open Port

An open port is a network port on a host that is actively listening for and accepting incoming connections. Every internet-facing service binds to a numbered TCP or UDP port — 443 for HTTPS, 22 for SSH, 3306 for MySQL — and when a service is running and reachable through the firewall, that port is "open." A port is "closed" if the host is reachable but nothing is listening, and "filtered" if a firewall silently drops the traffic. An open port is not a vulnerability by itself; it is an entry point, and whether it represents risk depends entirely on what is listening behind it and whether that service should be exposed to the public internet at all.

Why it matters

Open ports define the boundary of what an attacker can reach. Reconnaissance almost always starts with a port scan, because the set of open ports tells an attacker which services to probe for weak credentials, missing patches, or misconfigurations. Some open ports are expected and benign — a web server must listen on 80 and 443. Others signal serious exposure:

• Databases and caches reachable from the internet (MySQL 3306, PostgreSQL 5432, MongoDB 27017, Redis 6379) are frequently unauthenticated and have driven mass data-theft and ransom campaigns. See how exposed databases lead to full compromise and the deep dive on the exposed Redis port 6379.
• Remote access ports like RDP (3389) and management panels exposed without IP allow-listing are among the most-exploited surfaces in the wild.
• Forgotten dev or staging services on non-standard ports that were never meant to face the public.

How it works

When a service starts, it calls bind() and listen() on a port. A scanner discovers open ports by sending packets and observing responses: a TCP SYN that receives a SYN-ACK indicates an open port. Service and version detection then fingerprints the software behind each port, which matters more than the number itself — a database listening on a non-default port is exactly as critical as one on its standard port.

A concrete example

A team spins up a Redis cache for a feature, binds it to 0.0.0.0 instead of 127.0.0.1, and a cloud security group leaves 6379 open. Redis ships with no authentication by default, so anyone who scans that IP can read every cached value, dump keys, and in many configurations write to disk to achieve remote code execution — no exploit required, just an open port and a default config.

How it appears on your external attack surface

Open ports are a foundational layer of your external attack surface: the same scans attackers run against you are trivially available through services like Shodan, so you can find your own company on Shodan to see what is already public.

How FortWatch detects and helps

FortWatch's port monitoring scanner continuously enumerates open ports across your domains and IPs, fingerprints the service behind each one, and classifies severity by impact — an unauthenticated database is critical, an expected web port is informational. Each finding becomes a tracked issue with AI-written remediation, and pairing it with vulnerability scanning checks the exposed services for known CVEs. Because severity reflects real impact, you can focus on what matters — see our guide on how to prioritize vulnerabilities.