Skip to content
PortsDB

Port reference

Port 5672 (TCP) – AMQP (RabbitMQ)

Default port for AMQP 0-9-1, the messaging protocol used by RabbitMQ brokers.

tcpRegisteredCommonly attacked

Default state

RabbitMQ ships with a default guest/guest account; in older or misconfigured setups the broker binds broadly and the management UI on 15672 may also be reachable, exposing queues and credentials.

Common attacks

  • Login with default guest/guest credentials to read and publish messages
  • Message interception and queue tampering on unencrypted AMQP
  • Access to the management UI/API on 15672 for full broker control
  • Information disclosure of vhosts, queues, and message payloads

Hardening

  • Delete or restrict the default guest user; enforce strong credentials
  • Bind to a private interface and firewall 5672 (and 15672) to trusted hosts
  • Require TLS for AMQP and the management interface
  • Use vhosts and per-user permissions to segment access
  • Keep RabbitMQ and Erlang patched and audit access

nmap snippet

nmap -p5672 --script amqp-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5672?

Port 5672 is the default for AMQP 0-9-1, the Advanced Message Queuing Protocol spoken by RabbitMQ brokers. Producers and consumers connect over 5672 to publish and consume messages through exchanges and queues, decoupling services in distributed systems. The companion management UI/API typically runs on 15672 and the TLS variant (AMQPS) on 5671.

Why it matters for security

RabbitMQ carries the messages that tie services together, so an exposed broker leaks business data and lets attackers inject or drop traffic. RabbitMQ ships a default guest/guest account, and plain AMQP on 5672 is unencrypted, so credentials and payloads can be intercepted. If the management UI on 15672 is also reachable, an attacker gains full broker control.

How it's attacked

Attackers scan for open 5672 and try the default guest/guest credentials to read and publish messages. On unencrypted connections they intercept and tamper with message traffic, and they probe 15672 for the management UI/API to enumerate vhosts and queues or seize control. Leaked payloads often reveal internal application data and further credentials.

Hardening checklist

Delete or restrict the default guest user and enforce strong credentials. Bind RabbitMQ to a private interface and firewall 5672 and 15672 to trusted hosts. Require TLS (AMQPS on 5671) for messaging and the management interface, use vhosts and per-user permissions to segment access, and keep RabbitMQ and Erlang patched. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 15672Port 5671Port 1883Port 9092

Frequently asked questions

What are the default RabbitMQ credentials?
RabbitMQ creates a default guest/guest account that, in older versions, could log in remotely. Delete or restrict the guest user, set strong credentials, and firewall ports 5672 and 15672.
Is AMQP traffic on port 5672 encrypted?
Not by default — plain 5672 is unencrypted, so messages and credentials can be intercepted. Use AMQPS on 5671 or enable TLS, and require it for the management UI as well.