Port Scanning: What It Is and When to Use It
Port scanning reveals which services are publicly exposed on a domain's server. Certain open ports are expected — others are serious security risks.
Port Scanning: What It Is and When to Use It
A port scan checks which TCP ports are open on the IP address(es) associated with a domain. Each open port represents a service listening for connections. Knowing what's exposed is fundamental to understanding a server's attack surface.
Credit Cost
A port scan costs 600 credits.
What Gets Scanned
ElasticDomain scans common TCP ports using parallel connections with a 3-second timeout per port. It also performs banner grabbing — reading the first response from open ports to identify the service and version running.
Common Ports and What They Mean
| Port | Service | Notes |
|---|---|---|
| 22 | SSH | Remote shell access — should be restricted, not open to all |
| 25 | SMTP | Email sending — if open, server may be used for spam |
| 80 | HTTP | Normal for web servers |
| 443 | HTTPS | Normal for web servers |
| 3306 | MySQL | Database — should NEVER be publicly exposed |
| 5432 | PostgreSQL | Database — should NEVER be publicly exposed |
| 6379 | Redis | Cache/queue — should NEVER be publicly exposed |
| 27017 | MongoDB | Database — should NEVER be publicly exposed |
| 8080/8443 | Alternative HTTP/HTTPS | Development or proxy ports — review if unexpected |
| 21 | FTP | File transfer — unencrypted, use SFTP instead |
| 23 | Telnet | Deprecated, unencrypted — should be closed |
| 3389 | RDP | Windows Remote Desktop — high-value attack target |
Interpreting Results
Expected Ports
A typical production web server should have only 80 and 443 open publicly. Anything else warrants investigation.
High-Risk Findings
Database ports (3306, 5432, 6379, 27017) open to the internet — This is a critical finding. Publicly exposed databases are a leading cause of data breaches. These should be immediately firewalled.
SSH (22) with no banner or weak SSH version — Consider moving SSH to a non-standard port or restricting access to known IP ranges.
FTP (21) — Unencrypted file transfer. If file transfer is needed, use SFTP (port 22) instead.
Telnet (23) — Completely deprecated. Close immediately.
When to Run a Port Scan
- When adding a new domain — run once to establish a baseline of what's exposed
- After a server migration — verify that only expected ports are open on the new server
- Security audit — periodically scan production domains to catch firewall misconfigurations
- Investigating a compromised server — unexpected open ports may indicate backdoors
Setting Up Port Change Alerts
Port scan results are stored per scan. To detect when new ports open unexpectedly:
- Domain detail → Alerts → Create Alert Rule
- Trigger: Security Threat
- This will fire if a subsequent scan detects a significant change in open services.
Port Scanning vs Security Scan
| Scan Type | Cost | What It Checks |
|---|---|---|
| Security Scan | 2 credits | HTTP security headers, blacklist status |
| Port Scan | 600 credits | TCP port exposure, service banners |
For most monitoring workflows, the 2-credit security scan is sufficient for regular checks. Run port scans selectively — when adding a domain for the first time, after server changes, or as part of a periodic security review.