Open Port Exposure in Runet 2026
Enterno.io scanned top-10k Russian IPs (hosting space + domain A-records) across 22 common ports (March 2026). Expected (80, 443, 22, 25) — yes. Surprising: 4.2% of servers have Elasticsearch 9200 open without auth, 1.8% have Redis 6379, 0.7% MongoDB 27017. Each one = a potential data breach.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Key Findings
| Metric | Pass-rate / Value | Median | p75 |
|---|---|---|---|
| 443/HTTPS | 98% | — | — |
| 80/HTTP (often redirect) | 94% | — | — |
| 22/SSH (open) | 78% | — | — |
| 25/SMTP | 12% | — | — |
| 9200/Elasticsearch (no auth) | 4.2% | — | — |
| 6379/Redis (no auth) | 1.8% | — | — |
| 27017/MongoDB (no auth) | 0.7% | — | — |
| 3306/MySQL (bound 0.0.0.0) | 0.4% | — | — |
| 8080 / 8443 (internal panels) | 5.1% | — | — |
| 1500 (ISPmanager) | 3.2% | — | — |
Breakdown by Platform
| Platform | Share | Pass / Detail | avg |
|---|---|---|---|
| REG.RU VPS | 31% market | risky ports: 18% | — |
| Timeweb VPS | 14% | risky ports: 9% | — |
| Selectel | 7% | risky ports: 4% | — |
| Yandex Cloud | 9% | risky ports: 2% | — |
| Beget | 5% | risky ports: 22% (shared) | — |
| Self-hosted (dedicated) | 12% | risky ports: 14% | — |
Why It Matters
- Elasticsearch without auth = world-readable indices. CVE-2023-46673 allows RCE via public API
- Redis 6379 without requirepass = recruited into botnets for mining via SLAVEOF
- MongoDB without auth = the primary ransomware target. Attackers drop collections and demand bitcoin
- ISPmanager :1500 open in 3.2% of cases. Not itself vulnerable, but a brute-force target
- Best practice:
ufw default deny incoming+ explicitly allow 22/80/443, everything else via SSH tunnel or VPN
Methodology
Top-10k Russian IPs from reverse-DNS of top-5k domains + hosting ranges of major providers (RU-Center, Selectel, Yandex). Scanned via nmap -p 22,25,80,443,3306,5432,6379,8080,8443,9200,9300,11211,27017,1500,25565,3389 with 3s timeout. "No auth" determined by banner grab — Elasticsearch returns JSON version info without credentials.
Why teams trust us
How it works
Enter IP or domain
ICMP packets sent
Latency & packet loss shown
How Do Ping and Port Scanning Work?
Ping sends ICMP packets to a host and measures response time. Port scanning checks which TCP ports are open and accepting connections — helping diagnose serviceavailability issues.
Configurable Ping
Choose packet count (3, 4, 6, 10). Stats: min/avg/max latency and packet loss.
Common Port Scanner
Check 14 key ports: HTTP, HTTPS, SSH, FTP, SMTP, MySQL, PostgreSQL, and more.
Cloud-Based Check
Testing from our server — see site availability from outside, not just your local network.
Uptime Monitoring
Need constant monitoring? Create a monitor — checks every minute with notifications.
Who uses this
DevOps
availability diagnosis
Network engineers
TCP port scanning
Developers
connection debugging
SRE
basic health check
Common Mistakes
Best Practices
Get more with a free account
Ping check history, host availability monitoring and downtime alerts.
Sign up freeLearn more
Frequently Asked Questions
What if my server is in the "no auth" list?
1) Immediately bind service to 127.0.0.1 (or VPC internal IP), 2) firewall drop port, 3) add auth, 4) audit access log for predators. In exactly that order.
Why does Beget hit "22% risky"?
Shared hosting: one IP serves 100+ clients. If one client has a misconfigured Redis — the whole IP registers as "risky" in our metrics.
How do I quickly check my ports?
<a href="/en/ping">Enterno Ping + Port Checker</a> — enter your domain, see which ports are reachable from the internet. Or: <code>nmap -sT yourdomain.com</code>.
Which ports are safe to open at all?
Only what your app needs: 443 (web), 22 (SSH, mandatory key-auth, no password), optionally 80 (redirect). DB/cache/queue — always bind 127.0.0.1 or private network.