Article Summary: This article explains how TCP port scanning works, why external port scanning provides a more accurate security picture than local tools, and how to interpret open versus closed results. It includes a reference table of common ports, explains TCP vs UDP scanning differences, and covers when port scanning is most useful for system administrators and security teams.
What Is a Port Scanner?
A port scanner is a tool that probes a network host to discover which TCP or UDP ports are open and listening for connections. Every networked service — web servers, databases, email servers, remote access tools — binds to one or more ports to receive incoming connections. By systematically attempting to connect to a range of ports, a port scanner builds a map of what services are publicly exposed on a given host.
Port scanning is a fundamental technique in both network administration and security auditing. System administrators use it to verify that only intended services are exposed. Security professionals use it to identify attack surface — any open port that should be closed represents a potential entry point for an adversary. Tools like Nmap are the industry standard for advanced port scanning; our online tool provides quick, external TCP connect scanning of the most commonly used ports without requiring any software installation.
Importantly, our scanner operates from an external server on the public internet. This means results reflect what an outside party actually sees — accounting for firewalls, NAT, and cloud security groups — rather than what is visible from inside your own network.
How It Works
TCP Connect Scanning
Our port scanner uses the TCP connect method, also called a full-open scan. For each port being tested, the scanner initiates a complete TCP three-way handshake: it sends a SYN packet, waits for a response, and evaluates the result:
- If the target replies with SYN-ACK, the port is open — a service is listening and accepted the connection attempt. The scanner immediately sends RST to close the connection.
- If the target replies with RST (reset), the port is closed — no service is listening on that port.
- If there is no response or the connection is dropped by a firewall, the port is filtered — a network device is blocking access to that port.
TCP connect is the most reliable scanning method because it uses the standard socket API and does not require root/administrator privileges. The trade-off is that it is more visible to intrusion detection systems than a stealthier SYN-only scan.
Interpreting Results
An open port means a service is actively listening and reachable from the internet. A closed port means the host responded but no service is bound to that port. Filtered ports (shown as no response / timeout) indicate a firewall or packet filter is silently dropping the connection attempt. From a security standpoint, filtered is preferable to closed for sensitive ports — it makes it harder for attackers to enumerate your service landscape.
TCP vs UDP Port Scanning
This tool scans TCP ports exclusively, which covers the vast majority of internet-facing services. TCP is a connection-oriented protocol that produces clear open/closed signals through the handshake process, making TCP scanning fast and reliable.
UDP scanning is fundamentally different and significantly more difficult. UDP is connectionless — there is no handshake. A UDP scanner sends a packet to a port; if the port is closed, the host may respond with an ICMP "Port Unreachable" message. If the port is open, the service may or may not send any response depending on the protocol. UDP scans are therefore slow (requiring timeouts rather than handshakes), unreliable, and prone to false positives. Tools like Nmap support UDP scanning but it requires root privileges and considerable time. For most security audit purposes, TCP scanning covers the most critical attack surface.
Port Scan vs Firewall Audit
Running a port scan from an external vantage point is one of the most direct ways to audit your firewall rules and cloud security group configurations. Many organizations discover — via an external scan — that ports they believed were blocked are in fact reachable from the internet due to misconfigured rules, legacy entries, or cloud infrastructure changes.
Key security principles for port exposure:
- Database ports (3306 MySQL, 5432 PostgreSQL, 27017 MongoDB) should never be open to the public internet. Use VPNs, bastion hosts, or private network peering instead.
- RDP (3389) exposed to the internet is a major risk — it is one of the most frequently brute-forced services on the internet. Restrict to specific IPs or use a VPN gateway.
- SSH (22) exposed to the public is common but should be hardened with key-based authentication, fail2ban, and ideally restricted to known IPs.
- Port 25 (SMTP) open on a non-mail server can indicate a misconfiguration that may be exploited for spam relay.
Common Use Cases
Security Posture Review
Before deploying a server to production, run an external port scan to confirm that only the intended services are accessible. This catches common mistakes such as leaving a database management port open, forgetting to disable a development server, or misconfiguring a cloud security group.
Service Discovery
When investigating an unknown host or verifying a server configuration, port scanning provides a rapid service discovery overview. Knowing that port 443 is open but port 80 is closed, for example, tells you the server is configured for HTTPS-only access.
Firewall Rule Verification
After updating firewall rules or cloud security group settings, an external port scan immediately confirms whether the changes took effect and whether any unintended ports became accessible as a side effect.
Technical Reference
| Port | Protocol | Service | Security Note |
|---|---|---|---|
| 21 | TCP | FTP | Transfers credentials in plaintext; replace with SFTP (port 22) |
| 22 | TCP | SSH | Restrict to known IPs; enforce key-based auth; disable root login |
| 25 | TCP | SMTP | Should only be open on dedicated mail servers |
| 53 | TCP/UDP | DNS | Open only on authoritative/recursive DNS servers; restrict recursion |
| 80 | TCP | HTTP | Acceptable if used for HTTPS redirect; avoid serving content over HTTP |
| 443 | TCP | HTTPS | Standard; ensure valid TLS certificate and modern cipher suites |
| 3306 | TCP | MySQL | Must not be publicly accessible; use VPN or SSH tunnel |
| 3389 | TCP | RDP | High-risk if public; restrict to specific IPs or use VPN gateway |
| 5432 | TCP | PostgreSQL | Must not be publicly accessible; bind to localhost or VPN only |
| 8080 | TCP | HTTP-Alt | Often used for dev servers or proxies; close if not intentional |
| 27017 | TCP | MongoDB | Historically exposed publicly by default; must be firewalled |
Frequently Asked Questions
Is port scanning legal?
Port scanning your own servers and infrastructure is entirely legal and is a standard security practice. Scanning third-party servers without explicit permission may violate computer misuse laws in many jurisdictions — including the Computer Fraud and Abuse Act (CFAA) in the United States and similar legislation elsewhere. Always ensure you have authorization before scanning any host you do not own or administer. Our tool is intended for scanning your own servers, domains, and IP addresses.
Why does my server show port 22 open even with a firewall?
A firewall only blocks traffic if the rule explicitly covers the source IP and port combination. If your firewall rule allows SSH from "any" source, port 22 will appear open in an external scan even though a firewall is present. Review your firewall rules to restrict SSH access to specific trusted IP addresses or ranges rather than allowing it from the entire internet.
What does "filtered" mean in port scanning?
A filtered port is one where the connection attempt receives no response — the firewall or packet filter silently drops the packet rather than sending an RST. From a security standpoint, filtered is better than closed because it does not confirm to an attacker that the host exists and is listening. However, filtered ports can also result from network congestion or timeouts unrelated to security policy.
Can I scan all 65535 ports?
TCP supports ports 1 through 65535. Our tool scans the most commonly used ports — covering the services that represent the vast majority of real-world attack surface. Full-range scanning of all 65,535 ports is possible with tools like Nmap using the -p- flag, but takes considerably longer. For most security audits, scanning the top 1,000 ports provides sufficient coverage. If you need to verify a specific non-standard port, Nmap run locally against your own servers is the appropriate tool.
Why is port scanning useful for system administrators?
System administrators use port scanning to verify that server configurations match intended security policy, confirm that firewall rule changes took effect, discover services that were inadvertently left running, identify rogue or unauthorized services on a network, and produce evidence for security compliance audits. Running a periodic external port scan on your public-facing infrastructure is a simple, low-cost security control that catches a surprising number of misconfigurations.
Conclusion and Takeaways
The Port Scanner tool gives you an immediate, external view of which TCP services on your host are publicly accessible from the internet. Unlike scanning from within your own network — which bypasses firewalls and NAT — an external scan reflects exactly what an adversary would see. Use it to verify security group rules, confirm service deployments, and catch accidental exposure before attackers do. Pay particular attention to database ports (3306, 5432, 27017) and remote access ports (22, 3389) — these should never be open to the public internet without strict access controls.
Ready to Test?
Use the Port Scanner above — no login required, instant results.