UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

Open Port Checker

Run a single TCP connect-test from our backend to confirm whether one port on a public host is open, closed, or filtered. Common-port presets included.

About Open Port Checker

The Open Port Checker runs a single TCP connect-test from the UtilityKit backend to a host and port you specify, and reports whether the connection succeeds (OPEN), is rejected (CLOSED), or times out (filtered). It's intentionally not a port scanner — only one port at a time, with strict rate-limiting to deter sweep attempts. Common ports come preloaded as a dropdown so you don't have to remember that 22 is SSH, 587 is SMTP submission, 6379 is Redis, or 3306 is MySQL. Use this when a deployment finishes and you want a third-party perspective on whether your firewall is forwarding traffic correctly, when you suspect ISP-level blocking of port 25, or when a customer reports they can't reach your service. The tool resolves the host through the SSRF-safe backend resolver, blocks private and reserved IPs, and times out cleanly at 5 seconds.

Why use Open Port Checker

  • Single TCP connect from a public-internet vantage point — sees what your customers see.
  • Common-port dropdown saves you from looking up port-to-service mappings.
  • Distinguishes ECONNREFUSED (closed by RST) from ETIMEDOUT (filtered/dropped).
  • 5-second strict timeout prevents long-hanging tests during outages.
  • Backend is SSRF-filtered — can't be abused to scan private networks.
  • Pairs with SMTP Server Test and HTTP Headers Checker for deeper protocol-level diagnostics.

How to use Open Port Checker

  1. Enter the host — example.com or an IP address.
  2. Either type a port number or pick from the common-port dropdown (SSH, HTTPS, SMTP, etc.).
  3. Click Test port to open a single TCP connection from our backend.
  4. If the result is OPEN, the port is reachable from the public internet via our test path.
  5. If CLOSED, check the reason — ECONNREFUSED means firewall RST, ETIMEDOUT means dropped packets.
  6. Pair with SMTP Server Test, MX Record Lookup, or HTTP Headers Checker for protocol-level checks.

When to use Open Port Checker

  • After deploying a new service to confirm the port is reachable from the public internet.
  • When a customer reports they can't connect to your service from their network.
  • When debugging a cloud-provider security-group rule or a Kubernetes Service NodePort.
  • When validating a residential IP can or cannot accept inbound on port 25 for self-hosted mail.
  • When checking that a specific port (say 8080) responds before binding HTTPS in front of it.
  • While auditing a server's external attack surface — confirm what's actually open.

Examples

Open HTTPS port

Input: google.com:443

Output: OPEN — TCP connect to 142.250.80.46:443 succeeded in 28ms

Closed (ECONNREFUSED)

Input: example.com:6379

Output: CLOSED — Reason: ECONNREFUSED — no listener / RST returned

Filtered (ETIMEDOUT)

Input: blocked-host.example:445

Output: CLOSED — Reason: timeout — firewall is dropping SYN packets silently

Tips

  • OPEN means the TCP handshake completed — the listening process may still reject your data at the application layer.
  • ECONNREFUSED is usually a firewall RST or no listener; ETIMEDOUT is usually a silent drop.
  • Many cloud providers block outbound port 25 by default — your home test for an MX may show CLOSED for that reason.
  • Use the SMTP Server Test or HTTP Headers Checker for a protocol-level confirmation that an OPEN port speaks the protocol you expect.
  • If you need to check many ports at once, scripting nmap or masscan from your own infrastructure is the right answer — this tool is intentionally one-port.

Frequently Asked Questions

Is the queried host sent to a third party?
No. The TCP connect runs from our backend to the host you specify. The host obviously sees the connection (that's the test). Nothing else logs the host or port.
How does this compare to dnschecker.org or hackertarget?
Functionally similar single-port testing. Ours is free, signup-free, mobile-friendly, and includes a common-port preset dropdown. We deliberately don't offer multi-port scanning.
Can this detect a misconfigured firewall rule?
It tells you the symptom — port appears closed or filtered from the public internet. To diagnose the rule itself you need access to the firewall (security group, iptables, AWS NACL) at the source.
What does 'filtered' mean versus 'closed'?
Closed (ECONNREFUSED) means the OS responded with a RST — the port is reachable but no process is listening. Filtered (timeout) means a firewall silently dropped the packet — the port may exist but is blocked.
Why isn't this a full port scanner?
Multi-port scanning is operationally indistinguishable from a reconnaissance attack and is rate-limited away. If you legitimately need to scan, run nmap or masscan from your own infrastructure where you control the source.
Why does the result say CLOSED but I can connect locally?
Most likely a firewall in front of the server allowing local traffic but blocking the public internet — typical of cloud security groups or corporate NAT. Check the actual rule that admits external traffic.
Does an OPEN result mean my service is healthy?
It means the TCP handshake completed. The application may still reject your specific traffic (auth, allowlist, rate limits). Use a protocol-aware tool (SMTP Server Test, HTTP Headers Checker) to confirm.
Why do I see different results for the same host between this tool and my laptop?
Network paths differ. Your laptop's path may include a corporate proxy or ISP-level filtering; our backend's path doesn't. The result here represents what an arbitrary public client would see.

Explore the category

SMTP Server Test Connect to any SMTP host on port 25 (or a custom port), capture the banner, send EHLO, and verify whether STARTTLS is advertised. HTTP Headers Checker Inspect response status and headers from public HTTPS origins Online Ping Test Measure the response time (latency) of any IP address or hostname from our server with repeated ICMP-style pings. Website Status Checker Check whether any website or URL is up or down and see its HTTP response code, response time, and server headers. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. SSL Certificate Checker Peek TLS certificate metadata with SSRF-safe hostname rules

Glossary

TCP connect
Completing the SYN, SYN-ACK, ACK three-way handshake. The handshake alone proves only the port is reachable — not that the server speaks the expected protocol.
ECONNREFUSED
The remote OS sent a RST packet — no process is listening on that port (or the firewall is configured to reject rather than drop).
ETIMEDOUT (filtered)
The remote did not respond within the timeout window. Usually a stateful firewall silently dropping packets.
Port 22 (SSH)
Default Secure Shell port. Often exposed for admin access to Linux servers; commonly moved or restricted to bastion IPs in production.
Port 80 / 443 (HTTP / HTTPS)
Standard web ports. Most public-facing services expose at least 443. If you need to test HTTP behavior, use HTTP Headers Checker afterward.
Port 587 (submission)
Authenticated SMTP submission port. Modern MUAs (Outlook, Thunderbird) connect here rather than port 25.