← All checks

Open Database Ports

High severity

What is this?

Database services like MySQL (port 3306), PostgreSQL (5432), MongoDB (27017), and Redis (6379) are designed for internal network access only. When these ports are reachable from the public internet, anyone can attempt to connect to your database directly - bypassing your application entirely.

Why it happens

Most database services ship with default configurations that bind to all network interfaces (0.0.0.0) rather than localhost only. Cloud providers default to permissive security groups that allow all inbound traffic. Developers open ports temporarily for debugging or remote access and forget to close them. Docker containers can also expose database ports to the host network unintentionally.

What's at risk

MongoDB has no authentication enabled by default - anyone who can reach port 27017 can read and write your entire database. Redis can be exploited for remote code execution through its SLAVEOF and CONFIG commands. MySQL and PostgreSQL are vulnerable to brute force attacks, and weak or default passwords are tried within minutes by automated scanners that continuously sweep the internet. Elasticsearch (9200) exposes all indexed data through its REST API with no auth required.

How to check

Scan your server with nmap from an external machine:

nmap -p 3306,5432,27017,6379,9200,5984 yourserver.com

If any ports show as "open," those services are reachable from the internet and should be closed immediately.

How to fix

Close database ports at the firewall level and bind services to localhost only.

UFW (Ubuntu firewall):

sudo ufw deny 3306/tcp
sudo ufw deny 5432/tcp
sudo ufw deny 27017/tcp
sudo ufw deny 6379/tcp

MySQL - bind to localhost:

# /etc/mysql/mysql.conf.d/mysqld.cnf
bind-address = 127.0.0.1

If you need remote database access, use SSH tunneling instead of exposing the port directly. For cloud deployments, restrict security groups to allow database access only from your application server's private IP.

How Preflyt detects it

Preflyt attempts TCP connections to 18 commonly exposed ports including database services, development servers, and admin tools. It detects CDN providers like Vercel, Cloudflare, Netlify, CloudFront, and GitHub Pages to avoid false positives from proxy infrastructure that may listen on these ports.

Frequently asked questions

Is MongoDB safe without authentication?

No. MongoDB ships with authentication disabled by default. If port 27017 is reachable from the internet, anyone can connect and read, modify, or delete your entire database without credentials. Always enable authentication and bind to localhost.

How do I check if my database port is open?

Run nmap -p 3306,5432,27017,6379 yourserver.com from an external machine. If any port shows as "open," that service is reachable from the internet.

Should I use a VPN instead of closing ports?

A VPN adds a layer of protection, but the safest approach is defense in depth: close the port at the firewall, bind the service to localhost, and use SSH tunneling or a VPN for remote access. Never rely on a single layer.

Related checks

CORS Wildcard MisconfigurationAPI allows requests from any website.Missing Security HeadersProtective HTTP headers absent from responses.
Check your site now

Free scan. No signup required.