What it is
Database engines typically listen on well-known TCP ports—MySQL on 3306, PostgreSQL on 5432, MongoDB on 27017. Those ports are intended to be reachable only from internal application layers, VPNs, or bastion hosts. When the listener is open to the public internet, anyone can connect, fingerprint the database, and attempt authentication or exploit vulnerabilities in the service.
Why it matters
Publicly exposed databases are constant targets for brute-force attacks, credential stuffing, or automated exploitation of known CVEs. A single successful login or exploit can lead to mass data theft, deletion of records, ransomware deployment, or full takeover of the host. Because databases often store regulated or customer data, the blast radius of an exposed port spans compliance, legal, and operational risks.
How to reduce risk
- Restrict database listeners to internal networks, private service endpoints, or application proxies.
- Enforce firewall rules or IP allowlists so only approved systems can initiate connections.
- Require strong authentication, encryption in transit, and remove unused or default accounts.