Skip to content
ProtocolPorts

Port reference

Port 8888 (TCP) – HTTP Alternate / Jupyter Notebook

Alternate HTTP — default port for Jupyter Notebook/Lab, an interactive code-execution environment. No single fixed service.

tcpRegisteredCommonly attacked

Default state

Open when Jupyter or another app server is running. Often plain HTTP and bound to all interfaces by mistake.

Common attacks

  • Unauthenticated or token-less Jupyter Notebook leading to remote code execution
  • Token/password brute force against the Jupyter login
  • Cleartext interception of tokens and session cookies
  • Pivoting and crypto-mining via an exposed notebook kernel

Hardening

  • Never expose Jupyter on 8888 to the internet; bind to 127.0.0.1 and tunnel via SSH/VPN
  • Require a strong token or hashed password and serve over HTTPS
  • Run notebooks as an unprivileged user in a sandboxed container
  • Restrict by IP allowlist and front with an authenticated reverse proxy
  • Keep Jupyter and dependencies patched and disable terminals if unused

nmap snippet

nmap -p8888 --script http-title,http-headers,http-auth <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 8888?

Port 8888 is a common alternate HTTP port and the default for Jupyter Notebook and JupyterLab. There is no single fixed service — it may host other dev tools — but Jupyter is by far the most notable. Jupyter is an interactive environment that executes arbitrary code (Python, shell, more) on the host, normally reachable at http://host:8888/.

Why it matters for security

Because Jupyter runs code by design, an exposed instance is effectively a remote shell. Notebooks are routinely started with authentication disabled or with a token that ends up in logs, history, or a shared link. Combined with the common habit of binding to all interfaces, this turns an accidentally exposed 8888 into unauthenticated remote code execution as the running user.

How it's attacked

Attackers scan for token-less or weakly authenticated Jupyter and immediately gain RCE through the notebook or built-in terminal. They brute-force tokens and passwords, intercept cleartext tokens and cookies, and use the kernel to pivot into the network or run crypto-miners. Exposed notebooks are a well-known, automated target.

Hardening checklist

Never expose Jupyter on 8888 to the internet. Bind it to 127.0.0.1 and reach it through SSH tunnelling or a VPN. Require a strong token or hashed password, serve over HTTPS, and run notebooks as an unprivileged user in a sandboxed container. Restrict by IP allowlist, front it with an authenticated reverse proxy, and keep Jupyter patched. The nmap snippet checks title, headers, and auth on systems you are authorized to test.

Related ports

Port 80Port 443Port 8000Port 8080

Frequently asked questions

What is port 8888 used for?
It is the default port for Jupyter Notebook and JupyterLab, and a common alternate HTTP port. Since it can run anything, fingerprint the listener; if it is Jupyter, it provides an interactive Python shell on the host.
Why is an exposed Jupyter on 8888 so dangerous?
Jupyter executes arbitrary code by design. An instance with authentication disabled or a weak token gives any visitor remote code execution as the running user. Bind it to localhost, require a token, and access it over SSH or VPN.