Port Scanner - Check Open Ports on Any Host

Scan any host to discover open ports and identify running services. Essential for security audits, firewall testing, and network troubleshooting.

Enter a domain or IP address to scan

Understanding This Tool

What It Does

Scan for open ports on a host to identify running services and potential security issues. Port scanning reveals which network services are active and accessible from the internet.

Understanding the Results

  • Open: A service completed the TCP handshake (SYN, SYN-ACK, ACK). Something is listening and reachable
  • Closed: The host replied with a TCP RST. The port is reachable but no service is bound to it
  • Filtered: No reply at all (or an ICMP unreachable). A firewall is dropping the packet, which is the safest state for ports you do not use
  • Port number: 1-65535. Well-known ports are 0-1023, registered 1024-49151, dynamic/ephemeral 49152-65535
  • Service & banner: The service typically bound to that port (22=SSH, 80=HTTP, 443=HTTPS) and any version string the service volunteers

Common Use Cases

  • Attack-surface review: Confirm only the ports you intend (usually 80 and 443) are reachable from the public internet
  • Firewall validation: Verify a new rule actually moves a port from open to filtered
  • Service inventory: Catalog what is listening on a host before an audit or migration
  • Post-incident sweep: Spot an unexpected listener (e.g., a backdoor on a high port) after a compromise
  • Connectivity checks: Confirm a remote database or API port is actually reachable through the network path

Pro Tips & Best Practices

  • Never expose these to the internet: 3389 (RDP), 22 (SSH, restrict by IP or use a bastion), 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 27017 (MongoDB), 445 (SMB), and 23 (Telnet). Put them behind a VPN or firewall
  • Filtered is good for unused ports: Dropping packets silently gives an attacker no information, unlike a closed port that confirms the host is alive
  • Get written authorization: Scanning hosts you do not own can violate the US Computer Fraud and Abuse Act and similar laws abroad
  • Closed everywhere can mean a stealthy firewall: A host that returns closed on every port may be behind a device that synthesizes RSTs

Frequently Asked Questions

Port scanning tests which network ports on a server are open, closed, or filtered. Each port corresponds to a service (80=HTTP, 443=HTTPS, 22=SSH, 25=SMTP, etc.).

Scanning your own servers or networks is legal. Scanning others' systems without permission may violate computer fraud laws. Only scan systems you own or have explicit authorization to test.

Open ports accept connections (service running). Closed ports actively refuse connections (no service). Filtered ports don't respond (blocked by firewall). Filtered is most secure for unused ports.

Only ports for services you need: 80/443 for web, 22 for SSH, 25/587/465 for email. Close all unnecessary ports. Use non-standard ports for added security (e.g., SSH on 2222 instead of 22).

Unexpected ports may indicate forgotten services, malware, or misconfigurations. Investigate all unexpected open ports immediately and close/firewall any you don't recognize.

Stop the service listening on the port, configure your firewall to block it, or both. On Linux use iptables/ufw, on Windows use Windows Firewall. Always verify changes with another port scan.

Keep these behind a VPN, bastion, or firewall: 3389 (RDP) and 23 (Telnet) are prime targets for brute force and have no business being public; 22 (SSH) should be IP-restricted; database ports 3306 (MySQL), 5432 (PostgreSQL), 1433 (MSSQL), 27017 (MongoDB), and 6379 (Redis) must never face the internet; and 445/139 (SMB) exposure is how ransomware like WannaCry spread. For most servers only 80 and 443 should be reachable.

DNS (53), SNMP (161), and many VoIP services run over UDP, which is connectionless and has no handshake. A standard TCP scan only tests TCP ports and will not detect them. UDP scanning is also less reliable because an open UDP port often stays silent, making it look the same as a filtered one.

Possibly. Intrusion detection systems, fail2ban, and cloud security groups frequently flag and block the source of a port scan, especially aggressive full-range scans. When testing your own infrastructure, scan from an allowlisted IP, and never scan systems you do not own or have written permission to test.

Frequently Asked Questions

What is port scanning?
Port scanning tests which network ports on a server are open, closed, or filtered. Each port corresponds to a service (80=HTTP, 443=HTTPS, 22=SSH, 25=SMTP, etc.).
Is port scanning legal?
Scanning your own servers or networks is legal. Scanning others' systems without permission may violate computer fraud laws. Only scan systems you own or have explicit authorization to test.
What's the difference between open, closed, and filtered ports?
Open ports accept connections (service running). Closed ports actively refuse connections (no service). Filtered ports don't respond (blocked by firewall). Filtered is most secure for unused ports.
Which ports should be open on my server?
Only ports for services you need: 80/443 for web, 22 for SSH, 25/587/465 for email. Close all unnecessary ports. Use non-standard ports for added security (e.g., SSH on 2222 instead of 22).
Why do I see unexpected open ports?
Unexpected ports may indicate forgotten services, malware, or misconfigurations. Investigate all unexpected open ports immediately and close/firewall any you don't recognize.
How can I close open ports?
Stop the service listening on the port, configure your firewall to block it, or both. On Linux use iptables/ufw, on Windows use Windows Firewall. Always verify changes with another port scan.
What ports should I never expose to the internet?
Keep these behind a VPN, bastion, or firewall: 3389 (RDP) and 23 (Telnet) are prime targets for brute force and have no business being public; 22 (SSH) should be IP-restricted; database ports 3306 (MySQL), 5432 (PostgreSQL), 1433 (MSSQL), 27017 (MongoDB), and 6379 (Redis) must never face the internet; and 445/139 (SMB) exposure is how ransomware like WannaCry spread. For most servers only 80 and 443 should be reachable.
Why does TCP scanning miss UDP services like DNS?
DNS (53), SNMP (161), and many VoIP services run over UDP, which is connectionless and has no handshake. A standard TCP scan only tests TCP ports and will not detect them. UDP scanning is also less reliable because an open UDP port often stays silent, making it look the same as a filtered one.
Will scanning trigger alerts or get my IP blocked?
Possibly. Intrusion detection systems, fail2ban, and cloud security groups frequently flag and block the source of a port scan, especially aggressive full-range scans. When testing your own infrastructure, scan from an allowlisted IP, and never scan systems you do not own or have written permission to test.
Last reviewed: Reviewed by the

How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.

Related Tools

Explore these related tools to get more insights and complete your analysis:

Network Fingerprinting

Fingerprint remote hosts to identify running services, operating systems, and software versions. Useful for security assessments and network reconnaissance.

SSL Certificate Checker

Check any website's SSL/TLS certificate. View expiration date, issuer, certificate chain, supported protocols, and get a security grade with recommendations.

Server Headers Check

Inspect HTTP response headers for any URL. Check security headers, caching directives, CORS settings, and server configuration at a glance.

Ping Test

Ping any hostname or IP address to verify connectivity and measure round-trip time. Essential for diagnosing network issues and checking server availability.

Traceroute

Trace the route packets take to reach any destination. See every hop, identify bottlenecks, and diagnose routing problems with our visual traceroute tool.