What is an open port and why is it a problem? Find out about port scanners and protect your system from attack.
“Port” is a confusing term in IT. It means a connection socket on a switch but it can also be a logical address on a computer. Port scanners refer to that second type of port – daemons running on a computer that are identified by numbers.
Here is our list of the ten best online port scanners:
- Site24x7 Port Test Tool A free online port scanner from a leading producer of SaaS-based IT system monitoring tools.
- Geekflare TCP Open Port Scanner A free service that is driven by Nmap and is designed to check on ports for a website, given a URL.
- Pentest-Tools TCP Port Scanner with NMAP A free port scanner that delivers the results as a downloadable PDF.
- Spyce Advanced Port Scanner This free online port scanner offers a range of extra reports, such as SSL certificate checks.
- T1 Shopper Online Port Scan A comprehensive free system scan that can scan up to 500 ports at a time and includes extra connection checks.
- Web Tool Hub Open Port Scanner A free online service that can scan a maximum of 10 ports at a time.
- IP Fingerprints Network Port Checker A straightforward, free port checker that will easily scan up to 500 ports for a given IP address.
- What is my IP Port Scanner This free tool scans one port at a time for a given IP address or URL.
- DNS Tools Port Scanner Gives a fast, free scan of well-known ports for an IP address or URL.
- Web Port Scanner A competent free port scanner that looks at a limited number of well-known ports.
A deeper understanding of ports
Communications require one device to send a message and another device to receive it. Not only does the receiving computer need to read in the bits of a packet, it needs to know what to do with them. This process is fulfilled by letting computer programs read in their data themselves from the network interface.
Port numbers pre-date the internet. They were invented for ARPANET, the forerunner of the Internet. The port number was originally called a “socket number.” However, now we know sockets as session IDs that connect data arriving at a port to a specific process running on the receiving computer.
The full socket number was 40 bits long and was more like an IP address. The last eight bits of this binary number were identified as a separate entity that signified a process rather than a device. This was termed “another eight-bit number,” which was abbreviated to AEN. Effectively, the AEN is what we now call port numbers. A definitive list of AENs was compiled in 1972. Over the years, this list has been renamed to Port Numbers and is now managed by the Internet Assigned Numbers Authority (IANA).
You can see the current definitive list of port numbers on the IANA website.
How ports operate
To speed up the movement of data and instructions from device to device, the ARPANET team came up with an address structure that not only assigns packets to a device, but also to a process. That structure survives today because the port number is frequently attached to an IP address.
To conceptualize port numbers, think of a computer as an apartment building. Down in the lobby, an array of postboxes, labeled with apartment numbers allow each resident to get personal post. When the mailman arrives, the concierge sorts those letters and puts them into the relevant post boxes. During the day, all residents will visit their post boxes and collect their mail.
Computers don’t hang around waiting for deliveries to take a long time to complete. So, in the world of network ports, all of the residents are constantly down in the lobby waiting for the mailman. The mailman comes in through the service entrance and the concierge is able to fill the mailboxes from the back. Thus, the residents don’t know when the mail is in.
The residents are jumpy, nervous, and full of energy, so they can’t sit still waiting to see whether there is mail. They open the mailbox for their apartment, check for mail, run around in a little circle and then check the mailbox again – over and over again. This apartment building gets lots of deliveries, not just a once-a-day maildrop. So, even when a resident finally gets some mail, after working through it, he goes back to repeatedly checking the mailbox.
Not every apartment is occupied. In those cases, the mailboxes quickly fill up with junk mail and post for long-gone residents who will never collect. The concierge decides to keep a list of unoccupied apartment numbers and won’t put anything in those mailboxes. This makes the concierge’s job easier because there is now a smaller number of mailboxes that need to be filled.
Inside a computer, those nervous residents are programs that keep looping around, checking for a notification that has their ID number on it. That ID number is their port number. A constantly looping background process is called a daemon. Usually, these daemons get started up when the computer boots up or they might have to be started manually.
The list of apartments that the concierge will post mail for are open ports. Those apartments that are not occupied and do not receive mail are closed ports. An open port signifies that there is an active daemon operating for that number. So, any message sent to that port will be processed.
The problem with open ports
An open port is a security risk. The startup process of a computer will launch many daemons. Some of those daemons will be for old software that isn’t really used anymore. However, the package was never removed, or, if it was, the uninstaller failed to remove the related daemon. This situation leaves a lot of rogue processes swirling around the CPU. That is an inefficient use of processing power for one thing, and it also leaves a neglected entry point available for hackers.
Do you know what ports are open on your server? No one does unless they think to check. Manually checking all ports is a difficult and time-consuming task.
Online port scanners
Generally speaking, an open port on a computer is not a big security risk if that computer cannot be reached directly from outside the network. Given that you probably have a firewall, an IDS, and possibly other security software, such as EDR, you only need to worry about ports that hackers can get to. Cloud-based port scanners are excellent tools for the job of checking for open ports. They get the same view of your infrastructure as hackers. So, port scanners are pen-testing tools and best implemented from a remote location.
Another advantage of online port scanners is that they are easy to use and are sometimes free. You don’t need to check ports constantly. Occasional, on-demand port scans are good enough because, presumably, once you get that list, you will close down unwanted daemons, thus closing unused ports.
It isn’t necessarily a bad thing to have a lot of ports open on a computer. However, you do need to know what ports are open and you need to ensure that only useful services are able to receive data. Malware might have installed itself on your computer and set up its own daemon, thus opening a port by itself. You need to know about that and do something about it.
The best online port scanners
In this era of cloud services you don’t just have a fleet of onsite endpoints to worry about – you’ve got virtual services and cloud servers to check as well. Fortunately, online port scanners a location-neutral, they can check any system, whether it is on your site or in the cloud.
You can read more about each of these tools in the following sections.
Site24x7 offers a range of system monitoring and management tools that are charged for by subscription. However, its port checker is free and doesn’t require any registration. The port checker is also a website availability monitor and it can check a website from 60 locations around the world.
One problem with this website-based port checker is that it only checks one port at a time. However, sign up for a free account and you get much more functionality. That service will check a range of ports and can be run continuously. There are many other system checks available with a free account.
Site24x7 Port Test Tool is our top pick for an online port checker because it gives the user plenty of options. You can access the port checking website and run an instant check or quickly set up a free account and set up a continuous check on a range of ports. The port checker focuses on websites and is also an availability monitor. The account option gets you up to five monitoring services and you can choose from a long list of professionally delivered monitoring tools.
This free online service is a web-based implementation of Nmap. The service lets anyone check all of the ports on a given IP address or URL. The results screen only lists those ports that are open and displays the associate service for each.
The site includes other useful free tools including Ping, Traceroute, an SSL certificate checker, and a DNS checker. You don’t need to set up an account to use any of these services.
Just like Geekflare, Pentest-Tools has installed Nmap on a server and put a web page interface in front of it. Anyone can run a port scan on any URL or IP address with this tool. The service offers a free, anonymous scanning service and a more comprehensive scan for those who set up paid accounts.
The free scan checks the top 100 TCP ports and the full scan allows complete scans of all possible port numbers. The canned reports appear quickly on the screen and you can download the page as a PDF.
Pentest-Tools offers an armory of system testing and monitoring tools. It offers packages of subscription plans and gives you a full refund if you cancel within 10 days.
Spyce offers a number of security testing services on its sophisticated website. The user can choose to enter an IP address or a URL to get the free port scan started. The results appear very quickly. On the left side of the results page, users will find a menu of other statistical categories, such as Security Score SSL Certificate Check, and service details per open port.
Spyce offers its free port scanning service as a taster for its subscription services. The company offers three paid plans with different bundles of domain protection and connection monitoring services. The Standard plan is available on a 5-day free trial.
This fantastic free tool will scan ranges of ports for a given IP address or URL. The interface is very straightforward and includes checkboxes to select the most significant ports rather than typing them in. Port number range scans can work through up to 500 port numbers at a time. Other free tools on the site include Ping, traceroute, and domain lookup.
Web Tool Hub’s Open Port Scanner checks up to 10 TCP port numbers at a time on a given IP address or URL. The user can enter port numbers as a series or as a range. Web Tool Hub offers a very long list of other free tools for connection and security tests. Paid accounts get the test count limit removed. It is also possible for subscribers to integrate these tools into their own websites.
The free service offered by IP Fingerprints has no limit to the number of ports that it will check. However, it can take a very long time to complete its scan if it is tasked with checking more than 500 port numbers at a time.
The interface has an IP address field and from and to fields for a port number range. The user has the choice of running a port scan for open ports and an advanced scan which can test a long list of conditions. The advanced test offers a UDP scan, which is rare – most free online port scanning tools only check the TCP ports. Users can also perform a Ping test. Other port testing strategies aim to get through blocking firewalls.
The main tool on the What is my IP website is an IP address detector. There are many other free tools on the site, including a port scanner. The port scanner will operate on a given IP address or URL. Users can check one specific port, or a bundle of ports that relate to specific activities, such as games or Web applications.
Paying subscribers receive more functions, including the ability to enter a range of port numbers to check and schedule scans that can be run repeatedly as an availability monitor. Paid accounts are available in two levels: Silver and Gold. It is also possible to create a free account, called the Bronze plan, or just use the port scanner as a guest without logging in.
This free port scanning service is launched from a website that offers a range of free connection testing services. The scan will look at a limited list of TCP port numbers that represent important protocols, such as SSH, SMTP, and LDAP. Other tools on the site include Ping, Traceroute, and DNS checks.
10. Web Port Scanner
This is a nicely presented free online port scanner that checks a limited number of ports for a given IP address or URL. The ports that get tested are 17 significant TCP ports used by important protocols, such as SQL Server, FTP, and IMAP. The well-planned interface offers users a scan, a Ping test, a Traceroute, a DNS lookup, and a reverse DNS lookup service.