Skip to content
PortsDB

Port reference

Port 1883 (TCP) – MQTT

Default port for MQTT, the lightweight publish/subscribe messaging protocol used across IoT deployments; the TLS variant runs on 8883.

tcpRegisteredCommonly attacked

Default state

Many brokers (e.g. Mosquitto) allow anonymous access by default and bind broadly. Plain MQTT on 1883 is unencrypted, leaving topics and payloads readable to anyone who can reach the port.

Common attacks

  • Anonymous connection to subscribe to all topics with a # wildcard
  • Message injection and command publishing to actuator/control topics
  • Payload and credential interception on unencrypted MQTT
  • Enumeration of mass-exposed brokers via internet-wide scanning

Hardening

  • Disable anonymous access; require username/password or client certificates
  • Use MQTT over TLS on 8883 instead of plaintext 1883
  • Bind to a private interface and firewall 1883 to trusted hosts
  • Enforce per-client topic ACLs to limit subscribe/publish scope
  • Keep broker software patched and audit connected clients

nmap snippet

nmap -p1883 --script mqtt-subscribe <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1883?

Port 1883 is the default for MQTT, a lightweight publish/subscribe messaging protocol designed for IoT devices and low-bandwidth links. Clients connect to a central broker (such as Mosquitto or HiveMQ) to publish to and subscribe from topics, decoupling sensors, gateways, and applications. Plain MQTT runs on 1883; the TLS-secured variant uses 8883.

Why it matters for security

MQTT carries the telemetry and commands that drive IoT systems, so an exposed broker leaks sensor data and lets attackers control devices. Many brokers allow anonymous access by default, and plain MQTT on 1883 is unencrypted, so topics, payloads, and credentials are readable. Internet-wide scanners routinely find mass-exposed brokers with no authentication at all.

How it's attacked

Attackers connect anonymously and subscribe to #, the wildcard that matches every topic, dumping all traffic in real time. They inject messages into control topics to actuate devices, and intercept payloads and credentials on unencrypted links. Open brokers are catalogued by internet-wide scans for bulk exploitation.

Hardening checklist

Disable anonymous access and require username/password or client certificates. Use MQTT over TLS on 8883 instead of plaintext 1883. Bind the broker to a private interface and firewall 1883 to trusted hosts. Enforce per-client topic ACLs to limit subscribe/publish scope, keep broker software patched, and audit connected clients. Use the nmap snippet above to check exposure on brokers you are authorized to test.

Related ports

Port 8883Port 5672Port 5683Port 4222

Frequently asked questions

Is MQTT on port 1883 encrypted?
No. Plain MQTT on 1883 is unencrypted and often allows anonymous access, so topics, payloads, and credentials can be read. Use MQTT over TLS on 8883 and require authentication.
Why are MQTT brokers so commonly exposed?
IoT deployments often expose 1883 to the internet with default anonymous settings. Attackers scan the whole internet for open brokers, then subscribe with the # wildcard to read every topic.