Port reference
Port 8140 (TCP) – Puppet Server
Default port for Puppet Server — agents connect over mutually authenticated TLS to fetch catalogs and configuration.
Default state
Open on the Puppet primary (master) server; uses TLS with a Puppet-managed certificate authority.
Common attacks
- Certificate-signing abuse to enrol rogue agents or obtain trusted certs
- Compromise of the Puppet CA leading to mass remote code execution on nodes
- Catalog/manifest tampering to push malicious configuration fleet-wide
- Exploiting Puppet Server / API vulnerabilities and weak autosign settings
Hardening
- Never expose 8140 to the internet; restrict to managed nodes and management networks
- Disable open/naive autosign and require manual or policy-based certificate signing
- Protect and back up the Puppet CA; rotate and revoke certificates promptly
- Enforce mutual TLS, least privilege on modules, and code review of manifests
- Keep Puppet Server patched and monitor certificate and catalog requests
nmap snippet
nmap -p8140 --script ssl-cert,banner <target>Replace <target> with the host or range you're authorized to scan.
What runs on port 8140?
Port 8140 is the default port for Puppet Server, the control plane of the Puppet configuration-management system. Puppet agents on managed nodes connect to it over mutually authenticated TLS to obtain signed certificates from Puppet's built-in certificate authority and to download catalogs describing their desired state — packages, files, services, and commands to enforce.
Why it matters for security
Puppet Server defines what runs on every managed node, so it is a high-value target: control of 8140, or of the Puppet CA, translates into mass remote code execution across the fleet. Misconfigured autosign can let arbitrary hosts enrol as trusted agents, and tampered manifests propagate malicious configuration everywhere within a single run.
How it's attacked
Attackers abuse certificate signing — exploiting open or naive autosign — to enrol rogue agents or obtain trusted certificates. They target the Puppet CA for fleet-wide control, tamper with catalogs and manifests to push malicious configuration, and exploit Puppet Server or API vulnerabilities and weak TLS settings to bypass authentication.
Hardening checklist
Never expose 8140 to the internet — restrict it to managed nodes and management networks. Disable open/naive autosign and require manual or policy-based certificate signing. Protect and back up the Puppet CA, rotate and revoke certificates promptly, and enforce mutual TLS. Apply least privilege in modules, review manifests, keep Puppet Server patched, and monitor certificate and catalog requests. The nmap snippet inspects the certificate and banner on systems you are authorized to test.
Related ports
Frequently asked questions
- What is port 8140 used for?
- It is the default port for Puppet Server. Puppet agents connect to it over mutually authenticated TLS to request signed certificates and download catalogs that define a node's desired configuration.
- Why is port 8140 high-value to attackers?
- Puppet Server controls the configuration of every managed node. Compromising it — or its certificate authority — lets an attacker push malicious catalogs and achieve remote code execution across the entire fleet. Restrict 8140 to managed networks and disable naive autosign.