Open Ports

A port is a logical endpoint on a networked host, identified by a number from 0 to 65535. A port is considered open when a process is actively listening for and accepting incoming connections on it. Well-known ports correspond to standard protocols — 22 for SSH, 3389 for RDP, 3306 for MySQL — but any port can host any service. Open ports are the primary mechanism through which remote attackers interact with a system.

Every open port on an internet-facing host is a potential entry point. Services that are unintentionally exposed — a database port left accessible, a debug interface enabled in production, a management service reachable from the public internet — represent unplanned attack surface. Attackers routinely scan the entire IPv4 address space for open ports associated with known-vulnerable services. Knowing what ports are open on your assets before attackers do is a foundational requirement for external attack surface management.

Port scanning tools such as Shodan, Censys, and Nmap send TCP SYN or UDP packets to each port in a target range. A SYN-ACK response indicates the port is open and a service is listening. Banner grabbing and service fingerprinting identify the software and version behind each open port. Security teams aggregate this data across all externally reachable IP addresses and hostnames to build an inventory of exposed services, which they then triage for risk.