Every device connected to the internet communicates through ports โ numbered endpoints that direct network traffic to the right application or service. Your web browser uses port 80 for HTTP and port 443 for HTTPS. Your email client connects through port 587 or 465. Remote desktop uses port 3389. There are 65,535 possible ports on any given system, and each one that's open and listening represents a potential entry point for attackers.
Port scanning is the process of probing those ports to discover which ones are open, which services are running behind them, and whether those services might be vulnerable. In my 20+ years of network administration, port scanning has been one of the most fundamental tools in my toolkit โ both for securing the networks I manage and for diagnosing connectivity problems. Understanding what your open ports are telling the world about your network is the first step toward locking it down.
What Exactly Is a Port?
Think of your computer's IP address as the street address of an apartment building, and ports as the individual apartment numbers. When data arrives at your IP address, the port number tells the operating system which application should receive that data. Without ports, your computer would have no way to distinguish between web traffic, email traffic, file transfers, and the dozens of other network services that might be running simultaneously.
Ports are divided into three ranges. Well-known ports (0โ1023) are reserved for standard services: port 22 for SSH, port 25 for SMTP email, port 53 for DNS, port 80 for HTTP, and port 443 for HTTPS are among the most common. Registered ports (1024โ49151) are assigned to specific applications โ for example, port 3306 for MySQL databases or port 3389 for Microsoft Remote Desktop. Dynamic or ephemeral ports (49152โ65535) are temporarily assigned by your operating system for outgoing connections.
A port can exist in one of three states: open (a service is actively listening and accepting connections), closed (no service is listening, but the port responds to probes), or filtered (a firewall is blocking access, so there's no response at all). From a security perspective, open ports are the ones that matter most, because each one represents a service that's accessible from the network โ and potentially from the internet.
How Port Scanning Works
A port scan sends specially crafted network packets to a range of ports on a target system and analyzes the responses to determine each port's state. The most common technique is a TCP SYN scan, sometimes called a "half-open" scan. It works by sending a TCP SYN packet (the first step of the standard three-way handshake) to each port. If the port is open, the target responds with a SYN-ACK packet. If the port is closed, it responds with a RST (reset) packet. If the port is filtered by a firewall, there's no response at all.
Other scanning techniques include TCP connect scans (which complete the full three-way handshake), UDP scans (which are slower and less reliable because UDP is a connectionless protocol), and more advanced techniques like FIN scans and XMAS scans that use unusual flag combinations to try to bypass firewalls and intrusion detection systems.
You can scan your own ports using IP Lobster's Port Scanner, which checks the most commonly targeted ports on your public IP address and reports which ones are open and responding. This gives you an external view of what the internet can see about your network โ which is exactly the perspective an attacker would have.
Common Ports and What They Reveal
Each open port tells a story about what's running on a system. Here are the ports I most commonly encounter and what finding them open typically means.
Port 22 (SSH) indicates a Secure Shell server is accepting connections. SSH is the standard protocol for remote command-line access to Linux and Unix systems. Finding this open on a public-facing system is extremely common, but it's also one of the most heavily targeted ports on the internet. Automated bots constantly scan the internet for open SSH ports and attempt brute-force password attacks. If you must expose SSH publicly, use key-based authentication instead of passwords, change it to a non-standard port, and implement fail2ban or similar rate-limiting tools.
Port 80 (HTTP) and Port 443 (HTTPS) indicate a web server is running. These are expected to be open on any system hosting a website. The concern arises when you find these open on systems that shouldn't be running web servers โ it might indicate a misconfigured application, a rogue web interface on a network device, or in worst-case scenarios, malware running an HTTP-based command and control channel.
Port 3389 (RDP) is Microsoft's Remote Desktop Protocol. Finding this open on a public IP address is a major red flag. RDP has been the attack vector for countless ransomware infections and network breaches. The BlueKeep vulnerability and its successors demonstrated that exposed RDP ports can be exploited remotely without any user interaction. If you need remote desktop access, it should always be behind a VPN โ never directly exposed to the internet.
Port 445 (SMB) is used for Windows file sharing. An open port 445 on a public IP is one of the most dangerous findings in a port scan. The WannaCry ransomware attack exploited the SMB protocol through this port to spread across networks worldwide. SMB should never be accessible from the internet. If a scan shows port 445 open on your public IP, your router or firewall needs immediate attention.
Port 23 (Telnet) is an unencrypted remote access protocol that predates SSH. Finding Telnet open on any system in 2026 is a serious concern because all data, including passwords, is transmitted in plain text. Telnet is still found on older network equipment, IoT devices, and industrial control systems that haven't been updated. It should be disabled and replaced with SSH wherever possible.
Ports 25, 465, 587 (SMTP) indicate an email server is running. Open SMTP ports on a system that shouldn't be an email server could indicate that the system has been compromised and is being used to send spam or phishing emails. Even legitimate email servers need careful configuration to prevent being used as open relays.
Port Scanning Your Own Network
Regularly scanning your own public-facing infrastructure is a fundamental security practice. You should know exactly which ports are open and accessible from the internet, and each one should be there intentionally. Any open port you can't immediately account for warrants investigation.
Start with an external scan using IP Lobster's Port Scanner. This shows you what the outside world can reach on your network. Then, from inside your network, use tools like Nmap to do a more thorough scan of individual systems. Compare the results: ports that are open internally but blocked externally tell you your firewall is doing its job. Ports that are open both internally and externally are your exposure points.
For home users, a port scan of your public IP should ideally show very few or no open ports. Most consumer routers block all inbound connections by default through NAT (Network Address Translation), and any open ports are usually the result of port forwarding rules you've configured manually. If you find open ports you didn't configure, it could indicate UPnP (Universal Plug and Play) has automatically opened ports on your behalf โ a feature that's convenient but poses security risks and should generally be disabled.
For businesses, port scan results are typically more complex. Web servers, VPN endpoints, email servers, and other public services will have intentionally open ports. The key is maintaining a documented list of what should be open and regularly scanning to verify nothing unexpected has appeared. Any new open port that isn't on your approved list should be treated as a potential incident until proven otherwise.
How Attackers Use Port Scans
Port scanning is almost always the first step in a targeted attack. Before an attacker can exploit a vulnerability, they need to know what services are running and on which ports. An attacker scanning your network is performing reconnaissance โ mapping out your attack surface to identify the best way in.
Automated scanning tools run continuously across the entire internet. Research from organizations that monitor internet-wide scanning activity consistently shows that any new IP address connected to the internet will be scanned within minutes. The most commonly targeted ports are SSH (22), HTTP/HTTPS (80/443), RDP (3389), SMB (445), and Telnet (23). Botnets consisting of thousands of compromised devices perform these scans 24/7, and when they find an open port running a vulnerable service, exploitation can be automated and nearly instantaneous.
This is why the principle of "minimum necessary exposure" is so important. Every port you close is one less opportunity for an attacker. If a service doesn't need to be accessible from the internet, it shouldn't be. If it does need to be accessible, it should be patched, hardened, and monitored.
Securing Your Open Ports
For every port that must remain open, there are practical steps to reduce risk. Keep the software behind each open port updated with security patches โ most exploits target known vulnerabilities that have already been patched. Use a firewall to restrict access by source IP address whenever possible; if only your office needs SSH access to a server, there's no reason to allow SSH connections from the entire internet. Implement rate limiting and account lockout policies to slow down brute-force attacks. Monitor logs for unusual connection patterns, such as a sudden spike in failed authentication attempts.
Consider using port knocking or single packet authorization (SPA) for sensitive services like SSH. These techniques keep the port closed to normal scans and only open it temporarily when a specific sequence of connection attempts is detected. To an attacker scanning your network, the port appears closed or filtered, effectively making the service invisible.
Finally, segment your network so that a compromise of one public-facing service doesn't give an attacker access to your entire infrastructure. Place public services in a DMZ (demilitarized zone) with strict firewall rules controlling traffic between the DMZ and your internal network. This way, even if an attacker exploits a vulnerability on your web server, they still face another layer of defense before reaching your sensitive internal systems.
Making Port Scanning Part of Your Routine
Whether you're managing a corporate network or just trying to secure your home connection, regular port scanning should be part of your security routine. For businesses, monthly external scans and quarterly comprehensive assessments are a reasonable baseline. For home users, a quick scan after any major router or network change is sufficient.
The goal isn't to achieve zero open ports โ that would mean no network services at all. The goal is to know exactly what's open, why it's open, and to be confident that each exposed service is as secure as possible. In network security, the things that hurt you are almost always the things you didn't know about. Port scanning eliminates that blind spot.