Port 5984 · CouchDB

What runs on port 5984

Apache CouchDB is a document database. Default HTTP API binds to TCP/5984. Older releases shipped in 'admin party' mode — no admin user, no authentication required for any operation. CouchDB 3.0+ enforces admin-account creation at install.

Why public exposure is dangerous

Admin-party CouchDB instances exposed to the internet allow read, write, and database-deletion to any HTTP client. The 2018 mass-ransom wave that hit MongoDB and Elasticsearch also swept CouchDB. Even authenticated CouchDB is vulnerable to weak-password attacks because the HTTP API responds to brute-forcing without rate-limit defaults.

How to lock it down

Bind to `127.0.0.1` or a private network in `local.ini` — `[chttpd] bind_address = 127.0.0.1`. Set strong admin credentials. Use the `[admins]` section in the config or the `_config` API to require authentication on every database. Run TLS in front via a reverse proxy. Host firewall to drop public 5984.

When public exposure is legitimate

Internal-network access from application servers. Public-internet exposure is rarely appropriate — when remote access is needed, terminate TLS and authentication at a reverse proxy that fronts CouchDB.

Other ports DomainCare scans

• :3306 MySQL — MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
• :5432 PostgreSQL — PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
• :6379 Redis — Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
• :27017 MongoDB — MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.