Skip to content
PortsDB

Port reference

Port 2181 (TCP) – Apache ZooKeeper

Default client port for Apache ZooKeeper, a distributed coordination and configuration service.

tcpRegisteredCommonly attacked

Default state

ZooKeeper historically binds to all interfaces with no authentication and four-letter-word admin commands enabled, so any client reaching 2181 can read or modify the znode tree.

Common attacks

  • Unauthenticated 'four-letter words' (mntr, stat, conf, envi) leaking config and topology
  • Reading and tampering with znodes to disrupt or hijack dependent clusters
  • Information disclosure of broker, cluster, and service metadata
  • Denial of service by deleting or corrupting coordination data

Hardening

  • Bind to a private interface and firewall 2181 to trusted hosts only
  • Enable authentication (SASL/Kerberos) and ACLs on znodes
  • Restrict or disable the four-letter-word commands via 4lw.commands.whitelist
  • Require TLS for client and quorum traffic
  • Run as an unprivileged user and patch regularly

nmap snippet

nmap -p2181 --script zookeeper-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2181?

Port 2181 is the default client port for Apache ZooKeeper, a distributed coordination service that stores configuration, naming, and synchronization data in a hierarchical znode tree. Systems like Kafka, HBase, and Hadoop rely on ZooKeeper to elect leaders and track cluster state, connecting to 2181 to read and write that shared metadata.

Why it matters for security

ZooKeeper is the source of truth for the clusters that depend on it. By default it ships without authentication, so anyone reaching 2181 can read the entire znode tree and the four-letter-word admin commands expose configuration and topology. Tampering with znodes can disrupt, hijack, or take down every dependent service, making an exposed ZooKeeper a high-value target.

How it's attacked

Attackers scan for open 2181 and send four-letter words such as mntr, stat, conf, and envi to harvest cluster details with no credentials. They then read and modify znodes to disrupt coordination, redirect dependent clients, or delete data for denial of service. Leaked broker and service metadata frequently aids pivoting into Kafka and other backends.

Hardening checklist

Bind ZooKeeper to a private interface and firewall 2181 to trusted hosts only. Enable authentication (SASL/Kerberos) and set ACLs on znodes, restrict or disable the four-letter-word commands via 4lw.commands.whitelist, and require TLS for client and quorum traffic. Run as an unprivileged user and patch regularly. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 9092Port 9200Port 6379Port 2888

Frequently asked questions

Are ZooKeeper's four-letter-word commands a security risk?
Yes. Commands like mntr, stat, conf, and envi return cluster configuration and topology to any unauthenticated client. Restrict them with 4lw.commands.whitelist and firewall port 2181.
Does ZooKeeper require authentication by default?
No. By default any client reaching 2181 can read and modify znodes. Enable SASL/Kerberos authentication and set ACLs on znodes to protect the data tree.