Which ports are safe to leave open?

Encrypted, authenticated services are safe to expose: 443 (HTTPS), 587 and 993 (email over TLS), and 22 (SSH) when it uses key authentication and MFA. The rule is simple — if traffic on the port is encrypted and the service is patched and authenticated, an open port is not a meaningful risk on its own.

Which ports are the most dangerous to leave open?

The highest-risk ports are 23 (Telnet), 21 (FTP), 139 and 445 (NetBIOS/SMB), 3389 (RDP), and any database port such as 3306 (MySQL), 5432 (PostgreSQL), 1433 (MSSQL), 6379 (Redis), and 27017 (MongoDB). These either send credentials in plaintext, have a history of mass exploitation, or should never be reachable by strangers. RDP and SMB in particular are favourite ransomware entry points.

Is it bad to have any ports open at all?

No. An open port is just a service accepting connections — web servers must keep 443 open to work. A port is only a risk when the service behind it is unpatched, unauthenticated, unencrypted, or not supposed to be public. The goal is not zero open ports; it is zero unnecessary or unprotected ones.

Why do most of my ports show as 'filtered'?

Filtered means a firewall or your router's NAT is silently dropping connection attempts. Home connections show almost every port as filtered by default because consumer routers block all unsolicited inbound traffic — that is the safe default and you usually want to keep it that way.

How do I close a port that shouldn't be open?

Find what is listening (ss -tlnp on Linux, netstat -ano on Windows), stop or reconfigure that service to bind to localhost, then add a firewall rule to deny the port. Re-run a port checker afterwards — the port should change from open to filtered when viewed from the internet.

June 8, 2026 · 9 min read

Which Ports Should Be Open (and Which Are Risky)

A plain-English guide to which network ports are safe to leave open, which to harden, and which should never face the internet — with a quick-reference risk table.

An open port is not automatically dangerous. A port is only risky when the service behind it is unencrypted, unauthenticated, unpatched, or simply not meant to face the internet. In short: 443, 587, 993, and a hardened SSH are safe to expose; 23, 21, 445, 3389, and every database port should never be reachable from the public internet. This guide explains the reasoning so you can judge any port yourself.

The short answer

Verdict	Ports	Why
✅ Safe to expose	443, 587, 993, 8443	Encrypted and authenticated by design
⚠️ Harden if open	22, 80, 53, 8080	Useful, but attract attacks — secure them
❌ Never expose	23, 21, 139, 445, 3389, 1433, 3306, 5432, 6379, 27017	Plaintext, legacy, or never meant to be public

You can see which of these are reachable on your own connection right now with the What Is My Open Ports tool — it scans these common ports and labels each one by risk.

First, what "open" actually means

A port check has three possible outcomes, and the difference matters for security:

State	What happened	What it means
Open	The service answered	Something is listening and reachable from the internet
Closed	The host replied "nobody home"	Reachable, but no service is running on that port
Filtered	No reply at all	A firewall or NAT is silently dropping the packets

Most home connections show nearly every port as filtered because the router's NAT blocks unsolicited inbound traffic by default. That is the safe baseline. An open port means you (or your ISP, router, or a piece of malware) deliberately exposed a service — so it's worth knowing which ones are acceptable.

Ports that are safe to keep open

These carry encrypted, authenticated traffic. Leaving them open is normal and expected:

443 — HTTPS. The whole point of a web server. Encrypted with TLS; keep your certificate and TLS version current.
587 — SMTP submission (TLS) / 993 — IMAPS. Modern email uses these encrypted, authenticated ports. Safe to expose.
8443 — HTTPS alternate. Fine when it's genuinely serving TLS.

The principle: encryption + authentication + patching = an open port is not a meaningful risk by itself. Attackers can connect, but they can't read the traffic or get in without credentials.

Ports to harden if they're open

These have legitimate uses but are constant attack targets. Keep them open only if you need them, and lock them down:

22 — SSH. Indispensable for servers, but brute-forced around the clock. Disable password login, use SSH keys, enable MFA, and rate-limit with fail2ban. Changing off the default port reduces noise but isn't real security.
80 — HTTP. Fine as a redirect to HTTPS, but never serve sensitive content over plain HTTP.
53 — DNS. Required for DNS servers, but an open resolver gets abused for DDoS amplification. Restrict it to your own networks.
8080 — HTTP alternate. Frequently a forgotten dev server or admin panel with no authentication. Check what's actually running.

Ports that should never face the internet

Port	Service	Why it's dangerous
23	Telnet	Sends logins in plaintext — anyone on the path can read them
21	FTP	Plaintext credentials; use SFTP over port 22 instead
139 / 445	NetBIOS / SMB	The WannaCry / EternalBlue target; a top ransomware vector
3389	RDP	The single most common ransomware entry point — put it behind a VPN
1433 / 3306 / 5432	MSSQL / MySQL / PostgreSQL	Databases should never be reachable by strangers
6379	Redis	Unauthenticated by default in many setups
27017	MongoDB	A long history of mass data leaks from public exposure

If any of these show open when checked from the internet, treat it as urgent. The fix is almost always the same: bind the service to localhost or a private network, and require a VPN for legitimate remote access.

A simple decision rule

When you find an open port and aren't sure, ask three questions:

Is the traffic encrypted? No → close it or wrap it in TLS/VPN.
Does it require authentication? No → close it.
Do I actually need it reachable from the internet? No → close it.

If you can't answer "yes, yes, and yes," the port should not be open to the public. The goal is never zero open ports — it's zero unnecessary or unprotected ones.

How to close a port you didn't mean to open

Find the listener. Linux: ss -tlnp | grep :<port>. Windows: netstat -ano | findstr :<port>, then match the PID in Task Manager.
Stop or rebind the service. Shut it down if it shouldn't run, or configure it to listen on 127.0.0.1 only.
Add a firewall rule. ufw deny <port>/tcp on Ubuntu, or a Windows Firewall inbound block.
Verify. Re-run a port checker — the port should now read filtered from outside.

Scan your own connection in seconds — no software needed — with the What Is My Open Ports tool, which now flags every common port by risk level. To understand the states in more depth, read What Is My Open Ports? How to Check TCP Ports on Your Public IP. And if you use a VPN to keep risky services off the public internet, confirm it isn't leaking with the VPN Leak Test and our guide to fixing a VPN leak.