Skip to content

Open Port Exposure in Runet 2026

Key idea:

The measured data shows the following key findings: for 443/HTTPS, the pass-rate is 98%; for 80/HTTP (often redirect), the pass-rate is 94%; for 22/SSH (open), the pass-rate is 78%; for 25/SMTP, the pass-rate is 12%; and for 9200/Elasticsearch (no auth), the pass-rate is 4.2%. Full tables are below on this page.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Check your host & ports →

Key Findings

MetricPass-rate / ValueMedianp75
443/HTTPS98%
80/HTTP (often redirect)94%
22/SSH (open)78%
25/SMTP12%
9200/Elasticsearch (no auth)4.2%
6379/Redis (no auth)1.8%
27017/MongoDB (no auth)0.7%
3306/MySQL (bound 0.0.0.0)0.4%
8080 / 8443 (internal panels)5.1%
1500 (ISPmanager)3.2%

Breakdown by Platform

PlatformSharePass / Detailavg
REG.RU VPS31% marketrisky ports: 18%
Timeweb VPS14%risky ports: 9%
Selectel7%risky ports: 4%
Yandex Cloud9%risky ports: 2%
Beget5%risky ports: 22% (shared)
Self-hosted (dedicated)12%risky ports: 14%

Why It Matters

  • Elasticsearch without authentication has a very low pass rate, indicating significant exposure to potential vulnerabilities. This situation raises concerns about the security of indices, as the risk of unauthorized access is high.
  • Redis 6379 without requirepass = recruited into botnets for mining via SLAVEOF
  • MongoDB without auth = the primary ransomware target. Attackers drop collections and demand bitcoin
  • ISPmanager :1500 open in 3.2% of cases. Not itself vulnerable, but a brute-force target
  • Best practice: ufw default deny incoming + explicitly allow 22/80/443, everything else via SSH tunnel or VPN

Methodology

Top-10k Russian IPs from reverse-DNS of top-5k domains + hosting ranges of major providers (RU-Center, Selectel, Yandex). Scanned via nmap -p 22,25,80,443,3306,5432,6379,8080,8443,9200,9300,11211,27017,1500,25565,3389 with 3s timeout. "No auth" determined by banner grab — Elasticsearch returns JSON version info without credentials.

TL;DR: Understanding Open Ports in Runet 2026

In 2026, the exposure of open ports in Runet reflects significant cybersecurity risks, with critical services commonly running on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) showing varying levels of vulnerability. Regular scans using tools like Nmap are essential for identifying these open ports, with notable pass rates indicating that a majority of services on ports 443 and 80 remain exposed despite best practices in network security. Organizations must prioritize port management to mitigate risks associated with unauthorized access.

The Importance of Monitoring Open Ports

Open ports serve as gateways for network traffic, allowing services to communicate over the internet. However, each open port can also represent a potential vulnerability, especially if not properly secured. In 2026, the need for rigorous monitoring of open ports in Runet has never been more critical, with cyber threats evolving rapidly. Organizations must implement robust protocols to safeguard against exploitation.

According to recent studies, a significant portion of the servers analyzed in Runet exhibited open ports that were either unnecessary or inadequately protected. For instance, the data shows that 18% of the servers on REG.RU VPS had risky ports, while other platforms like Beget and Self-hosted (dedicated) reported 22% and 14% respectively. This situation underscores the pressing need for comprehensive port management strategies.

Commonly Used Open Ports

Here are some of the most commonly exposed ports and their associated services:

  • Port 22 (SSH): Used for secure shell access, often targeted for brute-force attacks.
  • Port 80 (HTTP): Standard port for web traffic, susceptible to various web-based attacks.
  • Port 443 (HTTPS): Secure web traffic, still vulnerable if SSL/TLS configurations are weak.
  • Port 21 (FTP): Used for file transfers, often exploited if left unsecured.
  • Port 3306 (MySQL): Database access port, frequently targeted by attackers seeking sensitive data.

Practical Example: Scanning for Open Ports

To assess the security of your network, it is essential to perform a port scan. Using the Nmap tool, a widely used network scanning utility, you can identify open ports on your servers. Here’s a basic command:

nmap -p 1-65535 -sV [target_ip]

This command scans all ports (1-65535) on the specified target IP and attempts to detect the version of the services running on those ports.

After running this scan, you might receive output similar to the following:

PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4
80/tcp open http Apache 2.4.18 (Ubuntu)
443/tcp open ssl/http Apache 2.4.18 (Ubuntu)

This output indicates that ports 22, 80, and 443 are open and running specific services. Identifying these open ports allows you to take necessary actions, such as securing SSH with stronger authentication methods or ensuring that your web servers are configured with the latest security patches.

Best Practices for Managing Open Ports

To mitigate the risks associated with open ports, consider the following best practices:

  1. Conduct Regular Scans: Regularly scan your network using tools like Nmap or Nessus to identify open ports and services.
  2. Implement Firewalls: Use firewalls to block unnecessary ports and limit access to only those that are required.
  3. Update Software: Ensure all services running on open ports are up-to-date with the latest security patches.
  4. Use Strong Authentication: For ports like 22 (SSH), implement key-based authentication instead of passwords.
  5. Monitor Network Traffic: Utilize intrusion detection systems (IDS) to monitor traffic on open ports for suspicious activity.

By adopting these best practices, organizations can significantly reduce their exposure to cyber threats and enhance their overall security posture regarding open ports.

ICMP PingHost availability and latency
Port ScannerOpen TCP port detection
LatencyResponse time in milliseconds
Packet LossPercentage of dropped packets

Why teams trust us

ICMP+TCP
check protocols
14
key ports scanned
<2s
result
3
regions

How it works

1

Enter IP or domain

2

ICMP packets sent

3

Latency & packet loss shown

How Do Ping and Port Scanning Work?

Ping sends ICMP packets to a host and measures response time. Port scanning checks which TCP ports are open and accepting connections — helping diagnose serviceavailability issues.

Configurable Ping

Choose packet count (3, 4, 6, 10). Stats: min/avg/max latency and packet loss.

Common Port Scanner

Check 14 key ports: HTTP, HTTPS, SSH, FTP, SMTP, MySQL, PostgreSQL, and more.

Cloud-Based Check

Testing from our server — see site availability from outside, not just your local network.

Uptime Monitoring

Need constant monitoring? Create a monitor — checks every minute with notifications.

Who uses this

DevOps

availability diagnosis

Network engineers

TCP port scanning

Developers

connection debugging

SRE

basic health check

Common Mistakes

ICMP blocked = server is downMany servers block ICMP. Ping fails but site works — check ports instead.
High ping = server problemLatency depends on geography. 150ms between continents is normal, not an error.
Closed ports — cause for alarmClosed ports of unused services are good. Unnecessary open ports are a risk.
One check = sufficientNetworks are unstable. A single timeout ≠ a problem. Check multiple times or set up monitoring.

Best Practices

Combine ping and port checksPing shows host availability, ports show specific service availability. Use both.
Check from different locationsThe problem may be local. A cloud test shows the real picture.
Close unused portsEvery open port is a potential attack vector. Keep only necessary ports open.
Set up monitoringManual checks do not scale. Set up automated monitoring with notifications.

Get more with a free account

Ping check history, host availability monitoring and downtime alerts.

Sign up free

Learn more

Frequently Asked Questions

What if my server is in the "no auth" list?

1) Immediately bind service to 127.0.0.1 (or VPC internal IP), 2) firewall drop port, 3) add auth, 4) audit access log for predators. In exactly that order.

Why does Beget hit "22% risky"?

Shared hosting: one IP serves 100+ clients. If one client has a misconfigured Redis — the whole IP registers as "risky" in our metrics.

How do I quickly check my ports?

<a href="/en/ping">Enterno Ping + Port Checker</a> — enter your domain, see which ports are reachable from the internet. Or: <code>nmap -sT yourdomain.com</code>.

Which ports are safe to open at all?

Only what your app needs: 443 (web), 22 (SSH, mandatory key-auth, no password), optionally 80 (redirect). DB/cache/queue — always bind 127.0.0.1 or private network.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.