Skip to content
PortsDB

Port reference

Port 5671 (TCP) – AMQPS (AMQP over TLS)

Default port for AMQPS, the TLS-secured variant of AMQP 0-9-1 used by RabbitMQ brokers; the plaintext form runs on 5672.

tcpRegisteredCommonly attacked

Default state

Reserved for TLS-wrapped AMQP. Encryption is in place, but RabbitMQ still ships a default guest/guest account, and plaintext 5672 or the management UI on 15672 may also be reachable.

Common attacks

  • Login with default guest/guest credentials despite TLS
  • Downgrade to plaintext AMQP on 5672 when both ports are open
  • Exploitation of weak TLS configs or missing certificate validation
  • Access to the management UI/API on 15672 for full broker control

Hardening

  • Delete or restrict the default guest user; enforce strong credentials
  • Disable plaintext 5672 so clients cannot be downgraded
  • Use modern TLS versions and strong ciphers; validate certificates
  • Bind to a private interface and firewall 5671 (and 15672) to trusted hosts
  • Use vhosts and per-user permissions, and keep RabbitMQ and Erlang patched

nmap snippet

nmap -p5671 --script ssl-cert,amqp-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5671?

Port 5671 is the default for AMQPSAMQP 0-9-1 secured with TLS — the encrypted counterpart of the messaging protocol spoken by RabbitMQ brokers. Producers and consumers connect over 5671 to publish and consume messages through exchanges and queues, with topics, payloads, and credentials protected in transit. The plaintext form runs on 5672 and the management UI on 15672.

Why it matters for security

5671 fixes the confidentiality gap of plaintext AMQP, but TLS is not access control. RabbitMQ still ships a default guest/guest account, and if plaintext 5672 or the management UI on 15672 is also reachable, an attacker can downgrade or seize control. The broker carries the messages that tie services together, so weak authentication still leaks business data.

How it's attacked

Attackers try the default guest/guest credentials even over TLS, and where both ports are open they downgrade clients to plaintext 5672. Weak TLS configs and missing certificate validation are probed to intercept or impersonate, and 15672 is targeted for the management UI/API to enumerate vhosts and queues or take full control.

Hardening checklist

Delete or restrict the default guest user and enforce strong credentials. Disable plaintext 5672 so clients cannot be downgraded, use modern TLS with strong ciphers, and validate certificates. Bind to a private interface and firewall 5671 and 15672 to trusted hosts, use vhosts and per-user permissions, and keep RabbitMQ and Erlang patched. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 5672Port 15672Port 8883Port 1883

Frequently asked questions

How is port 5671 different from 5672?
Port 5671 carries AMQP inside a TLS tunnel, encrypting messages and credentials, while 5672 is the same protocol in plaintext. Use 5671 and disable 5672 where possible.
Does AMQPS on 5671 remove the need to fix default credentials?
No. TLS encrypts traffic but not access control. RabbitMQ's default guest/guest account still applies, so delete or restrict it, enforce strong credentials, and firewall the management UI.