Skip to content
ProtocolPorts

Port reference

Port 25565 (TCP) – Minecraft (Java Edition server)

Default listening port for Minecraft Java Edition multiplayer servers, handling the game protocol and server-list pings.

tcpRegisteredCommonly attacked

Default state

Open on self-hosted and rented Minecraft Java servers, very commonly exposed directly to the internet.

Common attacks

  • Volumetric and application-layer DDoS against the server
  • Log4Shell RCE on modded/plugin servers running vulnerable Log4j
  • Exposed RCON (25575) abuse for remote console access
  • Bot/join floods and griefing of unprotected servers

CVE-2021-44228

Hardening

  • Patch/upgrade Log4j and the server software to mitigate Log4Shell
  • Never expose RCON (25575); bind it to localhost and use a strong password
  • Front the server with a DDoS-filtering proxy and rate-limit connections
  • Use a whitelist and online-mode authentication to block unauthorized joins
  • Run the server as an unprivileged user in an isolated container

nmap snippet

nmap -p25565 --script minecraft-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 25565?

Port 25565 is the default for Minecraft Java Edition multiplayer servers. It carries the game protocol — logins, world updates, chat — and answers server-list pings. Self-hosted and rented servers commonly expose it directly to the internet. A companion RCON remote console typically listens on 25575 for administration.

Why it matters for security

Minecraft servers are a perennial DDoS target, both volumetric and application-layer. More seriously, modded and plugin servers running a vulnerable Log4j were exploitable via Log4Shell (CVE-2021-44228), where a crafted chat message could trigger remote code execution. An exposed or weakly-protected RCON hands an attacker full server control.

How it's attacked

Attackers launch bot/join floods and DDoS to knock servers offline. On unpatched modded servers they send a JNDI lookup string in chat to trigger Log4Shell RCE. They brute-force or scan for exposed RCON (25575) and abuse weak passwords, and grief servers with no whitelist or authentication.

Hardening checklist

Patch Log4j and update the server software to close Log4Shell. Never expose RCON — bind 25575 to localhost with a strong password. Front the server with a DDoS-filtering proxy and rate-limit connections. Enable a whitelist and online-mode authentication to block unauthorized joins, and run the server as an unprivileged user in an isolated container. Use the nmap snippet above against servers you operate.

Related ports

Port 25575Port 19132Port 27015

Frequently asked questions

Is port 25565 safe to expose to the internet?
Only with care. It is a common DDoS target, and modded or plugin servers have faced critical RCE such as Log4Shell. Patch Log4j, keep RCON closed, enable a whitelist, and front it with DDoS filtering.
What is the risk of RCON on port 25575?
RCON gives full remote console control of the server. If exposed with a weak or default password, attackers take over the server. Bind RCON to localhost and never expose 25575 to the internet.