Skip to content
PortsDB

Port reference

Port 9050 (TCP) – Tor SOCKS proxy

Local SOCKS5 proxy exposed by the Tor client to route application traffic over the Tor network.

tcpRegisteredCommonly attacked

Default state

Listening on 127.0.0.1 only on hosts running the Tor daemon. Dangerous when bound to a public interface, where it acts as an open proxy.

Common attacks

  • Open-proxy abuse when 9050 is bound to a public interface
  • Relaying spam, scraping, or attack traffic through the host
  • Scanning for exposed Tor SOCKS ports to anonymize malicious traffic
  • Pivoting via an unprotected control port (9051) to reconfigure Tor

Hardening

  • Keep 9050 bound to 127.0.0.1 — never expose it to the network
  • Protect the control port 9051 with CookieAuthentication or a password
  • Firewall the port so only local applications can reach it
  • Run Tor as an unprivileged user and keep it patched
  • Monitor for unexpected outbound Tor traffic on servers

nmap snippet

nmap -p9050 --script socks-open-proxy,socks-auth-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9050?

Port 9050 is the default SOCKS5 proxy exposed by the Tor client daemon. Applications point their proxy settings at 127.0.0.1:9050, and Tor routes that traffic through its onion-routing circuits for anonymity. The Tor Browser bundle uses a separate port (9150), while the standalone tor daemon listens on 9050. A companion control port (9051) lets tools manage circuits and configuration.

Why it matters for security

By design 9050 binds only to localhost, so local apps can use it but the network cannot. The danger appears when an operator rebinds it to a public interface or 0.0.0.0: it then becomes an open SOCKS proxy that anyone on the internet can relay traffic through, anonymizing spam, scraping, and attacks behind the host's IP. A weakly protected control port (9051) compounds the risk.

How it's attacked

Internet scanners probe for open SOCKS ports, and nmap's socks-open-proxy script confirms whether 9050 will relay arbitrary connections. Once found, an exposed proxy is abused to launder malicious traffic. If the control port 9051 is reachable without authentication, attackers can reconfigure Tor or attempt to deanonymize its users.

Hardening checklist

Keep 9050 bound to 127.0.0.1 and never expose it to the network — firewall it so only local applications connect. Protect the control port 9051 with CookieAuthentication or a hashed password. Run Tor as an unprivileged user, keep it patched, and monitor servers for unexpected outbound Tor traffic. Use the nmap snippet above to verify the proxy is not openly relaying on hosts you are authorized to test.

Related ports

Port 9051Port 1080Port 9001Port 9150

Frequently asked questions

Is port 9050 safe to leave open?
Only on localhost. Tor binds 9050 to 127.0.0.1 by design. If you rebind it to a public IP it becomes an open SOCKS proxy that anyone can route abusive traffic through.
What is the difference between 9050 and 9051?
9050 is the SOCKS proxy applications connect to. 9051 is Tor's control port, used to manage the daemon. An unauthenticated 9051 lets an attacker reconfigure or deanonymize Tor.