Port 5900: What's Using It and Is It Safe to Close?

Port 5900 is the standard VNC port, used for remote screen viewing and control. On a Mac, it’s how Screen Sharing works, so a listener on 5900 means screen access is enabled.

What typically listens on port 5900

• macOS Screen Sharing: Enabling System Settings > General > Sharing > Screen Sharing starts a VNC server on 5900.
• Remote Management: Apple Remote Desktop uses the same port when Remote Management is on.
• Third-party VNC servers: Tools like TightVNC or RealVNC, if installed, listen here.

This is a system-managed service, not a stray process.

Is it safe to close?

Yes. Nothing in macOS needs 5900 except the screen-sharing features themselves. If you don’t use remote screen access, turn it off properly:

System Settings > General > Sharing > Screen Sharing (off).

That closes the port cleanly. Killing the process isn’t the right move, since the service is supervised and would restart.

Is it suspicious?

If you intentionally enabled Screen Sharing or Remote Management, an open 5900 is expected. If you didn’t, investigate: a VNC server you never set up means someone could view or control your screen. Check Sharing settings first, and confirm the owning process.

VNC exposed to the internet, especially with a weak password, is a real risk. Keep it off unless you need it, and use a VPN for remote access rather than opening 5900 publicly.

How to find what’s on port 5900 on macOS

sudo lsof -i :5900

To confirm the source, check Sharing settings rather than killing the process.

Portie shows port 5900 with its owning process in its live view, so you can tell at a glance whether screen sharing is active, and its remote scanner can check whether 5900 is exposed on another host.