Guide

How to Secure Open Ports

Best practices to reduce your attack surface and protect exposed services.

Step 1: Identify Open PortsStep 2: Close Unnecessary PortsStep 3: Configure Your FirewallStep 4: Harden Critical ServicesStep 5: Ongoing MonitoringAudit Your Network Now

Step 1: Identify Your Open Ports

Before you can secure your ports, you need to know which ones are open. Use a port scanner to audit your infrastructure regularly. NetAudit AI's free online port scanner provides a complete list of open ports with AI-powered vulnerability analysis.

Run scans against both internal and external interfaces. What is exposed to the internet is often very different from what runs on your internal network. Prioritize external-facing ports — those are the ones attackers can reach.

Step 2: Close Unnecessary Ports

Every open port is a potential attack vector. The simplest security improvement is to close ports that don't need to be accessible:

  • Stop and disable unused services (systemctl disable <service>)
  • Use a firewall to block inbound traffic on unnecessary ports
  • Segment networks — internal services like databases should never face the public internet
  • Review cloud security group rules regularly (AWS, GCP, Azure security groups often accumulate stale rules)

Step 3: Configure Your Firewall

A properly configured firewall is your first line of defense. Follow the principle of least privilege: deny all inbound traffic by default, then explicitly allow only what's necessary.

UFW (Ubuntu / Debian)

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp          # SSH from trusted IPs only
ufw allow 80,443/tcp      # Web traffic
ufw enable

iptables (Linux)

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j ACCEPT

Cloud Firewall (AWS Security Group)

Limit SSH access to your office IP only (e.g. 203.0.113.0/32). Never use 0.0.0.0/0 for management ports.

Step 4: Harden Critical Services

SSH (Port 22)

  • Disable root login: PermitRootLogin no
  • Use key-based authentication only: PasswordAuthentication no
  • Change the default port (optional — reduces log noise)
  • Use fail2ban to rate-limit failed login attempts
  • Restrict SSH access to specific user accounts

HTTP/HTTPS (Port 80/443)

  • Enforce HTTPS — redirect all HTTP traffic to HTTPS
  • Set Strict-Transport-Security header (HSTS)
  • Add Content-Security-Policy header (CSP)
  • Disable insecure TLS versions (TLS 1.0, 1.1)
  • Use a Web Application Firewall (WAF) for production sites

Databases (Port 3306, 5432, 27017)

  • Never expose databases directly to the internet
  • Require VPN or SSH tunnel for remote access
  • Use strong authentication and encrypted connections
  • Bind to localhost or internal IP only (bind 127.0.0.1)
  • Enable audit logging for all database access

Step 5: Implement Ongoing Monitoring

Securing ports isn't a set-it-and-forget-it thing. Services change, new CVEs drop, and configuration drift creeps in. Build these into your routine:

  • Schedule weekly or monthly port scans to detect unauthorized changes
  • Set up alerts for new open ports on critical systems
  • Review firewall rules quarterly and remove stale entries
  • Subscribe to CVE notifications for services you expose
  • Use NetAudit AI's quick scan for frequent checks and deep inspection for periodic thorough audits

Audit Your Network Now

First step to securing your ports: find out what's actually exposed. NetAudit AI gives you a free scan with AI-powered remediation — no account needed.

Related Guides

What Is Port Scanning?Check Open Ports OnlineNetwork Vulnerability AssessmentNmap Cheat Sheet