Dangerous open ports
Plain-language reference for the TCP ports DomainCare scans on every daily check. Each page covers what the service is, what attackers do with public exposure, how to lock the port down, and when public exposure is legitimate.
MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.
Elasticsearch listens on port 9200 by default. Public exposure exposes the entire indexed dataset to any internet user.
Telnet on port 23 transmits everything in plaintext, including passwords. There is no legitimate reason to expose it to the public internet in 2026.
CouchDB listens on port 5984 by default. Pre-3.0 builds had a default admin-party mode that allowed full access without credentials.
FTP on port 21 sends both control commands and data in plaintext. SFTP or FTPS replaces it for any modern use case.
Port 8080 is a common alternate HTTP port for proxies, dev servers, and management consoles. Exposure is low-risk on its own but often signals an unintended deployment.
Port 8443 is the alt-HTTPS analog of 8080. Same considerations — risk depends entirely on what's listening.
SSH on port 22 is normal infrastructure. Tracked as informational so unexpected exposure on a non-management host shows up as a signal.