Skip to content
ProtocolPorts

Port reference

Port 4222 (TCP) – NATS messaging

Default client port for NATS, a high-performance cloud-native publish/subscribe and request/reply messaging system.

tcpRegisteredCommonly attacked

Default state

NATS runs with no authentication by default, so any client that reaches 4222 can publish and subscribe to all subjects. The monitoring endpoint on 8222 may also be exposed.

Common attacks

  • Anonymous connection to subscribe and publish on all subjects
  • Wildcard subscription to > to capture every message
  • Message injection into application and control subjects
  • Information disclosure via the monitoring endpoint on 8222

Hardening

  • Enable authentication (tokens, user/password, or NKEYS/JWT)
  • Use TLS for client connections and between cluster routes
  • Bind to a private interface and firewall 4222 (and 8222) to trusted hosts
  • Apply per-user subject permissions to limit publish/subscribe scope
  • Restrict or disable the monitoring endpoint and keep NATS patched

nmap snippet

nmap -p4222 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 4222?

Port 4222 is the default client port for NATS, a high-performance cloud-native messaging system supporting publish/subscribe and request/reply patterns. Services connect to a NATS server (or cluster) to exchange messages on named subjects, decoupling microservices. A separate HTTP monitoring endpoint typically runs on 8222.

Why it matters for security

NATS is often deployed inside clusters where convenience wins, and it runs with no authentication by default. Any client that reaches 4222 can subscribe and publish on all subjects, reading internal traffic and injecting commands. If the monitoring endpoint on 8222 is also exposed, it leaks topology, connections, and subject activity to anyone who asks.

How it's attacked

Attackers connect anonymously and subscribe to >, the full wildcard, to capture every message flowing through the server. They inject messages into application and control subjects to influence services, and scrape 8222 for monitoring data that maps the deployment for further attack.

Hardening checklist

Enable authentication — tokens, user/password, or NKEYS/JWT — and apply per-user subject permissions. Use TLS for client connections and cluster routes. Bind to a private interface and firewall 4222 and 8222 to trusted hosts, restrict or disable the monitoring endpoint, and keep NATS patched. Use the nmap snippet above to check exposure on servers you are authorized to test.

Related ports

Port 8222Port 1883Port 5672Port 9092

Frequently asked questions

Does NATS require authentication by default?
No. A default NATS server accepts anonymous clients on 4222, letting anyone subscribe and publish to every subject. Enable tokens, user/password, or NKEYS/JWT and apply per-user permissions.
What is the NATS monitoring port 8222?
NATS exposes an HTTP monitoring endpoint on 8222 that reports connections, subjects, and server state. If reachable it leaks topology and activity, so restrict or disable it and firewall the port.