Risky Open Ports Security Checklist

Problem

Port scanning shows services exposed to the internet that probably should not be public.

Symptoms

• Admin or database ports are reachable from outside.
• Services unrelated to public web traffic are directly exposed.
• The host appears to have a broader attack surface than expected.

Top 3 Causes

1. Firewall or security group is too open - Inbound rules allow more than the minimum required scope.
2. Test and production ports are mixed together - Development or admin services remained exposed.
3. Backend services bypass the intended proxy boundary - Internal-only services are publicly reachable.

Diagnose with DechoNet

• Port Check to identify which ports are open.
• HTTP Check and SSL Check to compare exposed ports against the services that are actually meant to be public.

Resolution Checklist

• Separate required public ports from unnecessary exposure.
• Restrict admin, database, and internal service ports to allowlisted or private access only.
• Confirm backend services are not bypassing the intended reverse proxy or ingress layer.
• Reduce firewall, security group, or hosting panel rules to least privilege.
• Re-run Port Check and verify the attack surface is smaller.

When to Escalate

• Escalate to security or infrastructure owners if multiple production services share the same exposure boundary.
• Escalate to the platform provider if managed networking exposes ports you cannot directly control.