Open Port Scanner

Check which ports are open and accessible on your network. Open ports can be gateways for attackers if left unmonitored. Before scanning, make sure you have updated your router firmware and changed the default admin password. This scanner checks common service ports against your public IP to identify potential security exposures.

Scan Your Ports

Target IP Address

Port Selection

Custom Ports (comma-separated)

What Is Port Scanning?

Port scanning is the process of probing a server or host for open TCP and UDP ports. Network administrators use port scanning to audit their own networks, verify firewall rules, and identify services that should not be publicly accessible. Every network service (web servers, email, databases, remote desktop) listens on a specific port number, and each open port represents a potential entry point for attackers.

Understanding which ports are open on your network is a fundamental step in securing your home WiFi network. If you have configured port forwarding on your router, those ports become accessible from the internet and should be monitored regularly with tools like this scanner and our Port Checker reference.

Common Ports and Their Risks

Port	Service	Risk Level	Why It Matters
22	SSH	Medium	Remote access; brute-force target if exposed
23	Telnet	Critical	Unencrypted remote access; never expose publicly
80/443	HTTP/HTTPS	Low	Web servers; expected to be open on web hosts
135/445	MSRPC/SMB	Critical	Windows file sharing; major ransomware vector
3306	MySQL	High	Database server; should never face the internet
3389	RDP	High	Remote Desktop; frequent brute-force target
5900	VNC	High	Remote desktop; often poorly secured
6379	Redis	Critical	In-memory database; no authentication by default

Port States Explained

When scanning a port, there are three possible states that tell you different things about the target's security posture:

Open — A service is actively listening and accepting connections. This means traffic can reach the application behind that port. Open ports that are not needed should be closed.
Closed — The port is accessible (not filtered by a firewall) but no service is listening. The host responds with a TCP RST packet. This is generally safe.
Filtered — A firewall or packet filter is preventing the scanner from determining whether the port is open. No response is received. This is the ideal state for ports you want to hide.

Note: Browser-based port scanners have limitations due to CORS and browser security policies. For a comprehensive scan, use command-line tools like Nmap. This tool provides a quick overview but should be supplemented with proper network auditing tools for production environments.

How to Close Open Ports

If the scan reveals open ports you did not expect, take these steps to secure your network. First, identify which service is using the port. Then decide whether that service needs to be publicly accessible. If not, block it at your router's firewall or disable the service entirely.

On most home routers, you can manage open ports through the router admin panel. Check your port forwarding rules and remove any that are no longer needed. If you use UPnP, be aware that applications can automatically open ports without your knowledge. Consider disabling UPnP and manually configuring only the ports you actually need.

# Check listening ports on Linux
sudo ss -tulnp

# Check listening ports on Windows (PowerShell)
Get-NetTCPConnection -State Listen | Format-Table LocalPort, OwningProcess

# Block a port with iptables
sudo iptables -A INPUT -p tcp --dport 3306 -j DROP

Port Scanning from the Command Line

For more advanced scanning, Nmap is the gold standard. It can detect operating systems, service versions, and run vulnerability scripts against discovered services.

# Quick scan of common ports
nmap -F 192.168.1.1

# Scan specific ports
nmap -p 22,80,443,3389 192.168.1.1

# Scan all 65535 ports (slow but thorough)
nmap -p- 192.168.1.1

# Service version detection
nmap -sV -p 22,80,443 192.168.1.1

Pro Tip: Always scan your network from both inside and outside. Internal scans show what services are running, while external scans (like this tool) show what is actually reachable from the internet. A port that is open internally but filtered externally is properly firewalled. Use our Ping Test to verify basic connectivity before running a port scan.

Securing Port Forwarding Rules

If you need certain ports open for gaming, remote access, or hosting services, follow these security practices. Limit forwarding rules to specific IP addresses when possible. Use non-standard ports to reduce automated scanning hits (for example, run SSH on port 2222 instead of 22). Always use strong generated passwords for any service exposed to the internet.

For remote desktop access, consider using a VPN instead of exposing RDP directly. You can set up a VPN on your router and then access RDP through the VPN tunnel, keeping port 3389 completely closed to the internet. This is far more secure than relying on RDP's built-in security. Check the Bandwidth Calculator to ensure your connection can handle the VPN overhead.

Video Tutorial

Key Takeaways

Every open port is a potential entry point — only keep ports open that you actively use
Critical ports like 23 (Telnet), 445 (SMB), and 6379 (Redis) should never be exposed to the internet
Review port forwarding rules regularly and remove unused entries
Use a VPN for remote access instead of exposing RDP or VNC directly
Disable UPnP to prevent applications from opening ports without your knowledge
Scan from both inside and outside your network for a complete security picture

Related Guides

Frequently Asked Questions

Is port scanning legal?

Scanning your own network is legal and recommended as a security practice. Scanning networks you do not own or have authorization to test may violate computer abuse laws depending on your jurisdiction. Always obtain written permission before scanning third-party networks.

What ports should be open on a home network?

Ideally, no ports should be open to the internet on a home network unless you are hosting a specific service. Most home routers block all inbound connections by default through NAT. If you have set up port forwarding, only those specific ports will be accessible.

How do I close an open port?

Remove the port forwarding rule from your router, disable UPnP if it opened the port automatically, or stop the service that is listening on that port. You can also add a firewall rule to explicitly block the port.

What is the difference between TCP and UDP scanning?

TCP scanning checks for services using the connection-oriented TCP protocol. UDP scanning checks for services using the connectionless UDP protocol. UDP scans are slower and less reliable because UDP does not send acknowledgment packets. Most critical services use TCP.

Why does the scan show all ports as filtered?

If all ports show as filtered, your firewall (or your ISP) is dropping all incoming connection attempts without responding. This is actually the most secure configuration, as it makes your network invisible to scanners.

Can I scan ports on someone else's server?

Only with explicit written authorization. Unauthorized port scanning is considered a hostile action by most organizations and may violate laws like the Computer Fraud and Abuse Act (US) or Computer Misuse Act (UK). Stick to scanning your own infrastructure.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.