Skip to content
PortsDB

Port reference

Port 3690 (TCP) – Subversion (svnserve)

Default port for the Subversion svn:// protocol served by svnserve.

tcpRegisteredCommonly attacked

Default state

Open on hosts running svnserve. Frequently configured for anonymous read (or even write) access.

Common attacks

  • Anonymous checkout of source code and repository history
  • Brute force of svnserve passwd credentials
  • Exposure of secrets committed into history (keys, passwords)
  • Exploiting unpatched svnserve parsing vulnerabilities

Hardening

  • Prefer svn+ssh:// or HTTPS (mod_dav_svn) over the cleartext svn:// protocol
  • Disable anonymous access (anon-access = none) and require auth
  • Restrict source IPs / run behind a VPN
  • Scrub secrets from history and rotate any that leaked
  • Keep Subversion patched and run svnserve as an unprivileged user

nmap snippet

nmap -p3690 -sV <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3690?

Port 3690 is the registered port for Subversion's svn:// protocol, served by the standalone svnserve daemon. It lets clients check out, commit, and browse the full history of a version-control repository over a lightweight custom protocol — an alternative to tunnelling Subversion over SSH or HTTP(S).

Why it matters for security

svnserve is frequently deployed with anonymous read access, and sometimes anonymous write, meaning anyone who can reach 3690 can clone your entire source tree and its history. That history often contains secrets — API keys, passwords, internal hostnames — committed and "deleted" but still recoverable. The native protocol is also cleartext, so credentials and code are exposed on the wire.

How it's attacked

Attackers and bots scan for open 3690 and attempt an anonymous checkout to harvest source and embedded secrets. Where authentication exists, the svnserve passwd file is brute-forced, especially when it uses weak hashing. Unpatched svnserve builds have also had protocol-parsing bugs that can crash or compromise the daemon.

Hardening checklist

Prefer svn+ssh:// or HTTPS via Apache mod_dav_svn so traffic is encrypted and authenticated, and avoid exposing the raw svn:// port. Set anon-access = none and require credentials, restrict source IPs or run behind a VPN, and scrub leaked secrets from history (rotating anything exposed). Keep Subversion patched and run svnserve as an unprivileged user. The nmap snippet above fingerprints the service version on hosts you are authorized to test.

Related ports

Port 22Port 443Port 9418Port 80

Frequently asked questions

Is svnserve on port 3690 encrypted?
No. The native svn:// protocol is cleartext, so credentials and source code travel unencrypted. Use svn+ssh:// or HTTPS via Apache mod_dav_svn instead.
Can anyone read my repository on port 3690?
If anon-access is left at the default 'read', yes — anyone who can reach 3690 can check out your full source and history. Set anon-access = none and require authentication.