When troubleshooting network connectivity or application-specific issues, one of the first things to check should be what ports are actually in use on your system and which application is listening on a specific port.
A network port is identified by its number, the associated IP address, and the type of communication protocol, such as TCP or UDP. Above all, an open port is a network port on which an application or process listens, acting as a communication endpoint.
Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations.
Check for Open Ports with netstat
Netstat (network statistics) is a command-line tool for monitoring incoming and outgoing network connections and viewing routing tables, interface statistics, etc. This tool is essential and valuable for Linux network administrators and system administrators to monitor and troubleshoot their network-related problems and determine network traffic performance.
To list all TCP or UDP ports that are being listened on, including the services using the ports and the socket status, use the following command:
$ sudo netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 24919/amavisd
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 967/master
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 800/tinyproxy
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 967/master
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 844/pure-ftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 768/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 967/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1001/dovecot
tcp6 0 0 :::3306 :::* LISTEN 823/mysqld
tcp6 0 0 ::1:783 :::* LISTEN 24911/spamd.pid -d
tcp6 0 0 :::80 :::* LISTEN 781/httpd
tcp6 0 0 :::21 :::* LISTEN 844/pure-ftpd
tcp6 0 0 :::22 :::* LISTEN 768/sshd
tcp6 0 0 :::25 :::* LISTEN 967/master
tcp6 0 0 :::993 :::* LISTEN 1001/dovecot
tcp6 0 0 :::995 :::* LISTEN 1001/dovecot
udp 0 0 0.0.0.0:47967 0.0.0.0:* 460/avahi-daemon: r
udp 0 0 127.0.0.1:123 0.0.0.0:* 472/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 472/ntpd
udp6 0 0 :::123 :::* 472/ntpd
The options used in this command have the following meaning:
-t
: Show TCP ports.-u
: Show UDP ports.-l
: Show only listening ports.-n
: Show numerical addresses instead of resolving hosts.-p
: Show the PID and name of the listenerโs process. This information is only shown if you run the command as root or sudo user.
The essential columns in our case are:
- Proto – The protocol used by the socket.
- Local Address – The IP Address and port number the process listens to.
- PID/Program name – The PID and the name of the process.
In addition, if you want to filter the results, use the grep
command. For example, to find what process listens on TCP port 22, you would type:
$ sudo netstat -tulnp | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 768/sshd
tcp6 0 0 :::22 :::* LISTEN 768/sshd
If the output is empty, nothing is listening on the port. For more about the netstat
command in Linux, consult its manual page.
Check for Open Ports with lsof
Lsof, meaning ‘LiSt Open Files,’ is used to find out which files are open by which process. In Linux, everything is a file. You can think of a socket as a file that writes to the network.
To get a list of all listening TCP ports with lsof type:
$ sudo lsof -nP -iTCP -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 768 root 3u IPv4 16112 0t0 TCP *:22 (LISTEN)
sshd 768 root 4u IPv6 16114 0t0 TCP *:22 (LISTEN)
httpd 781 root 4u IPv6 16328 0t0 TCP *:80 (LISTEN)
httpd 781 root 6u IPv6 16336 0t0 TCP *:443 (LISTEN)
tinyproxy 800 tinyproxy 0u IPv4 16750 0t0 TCP *:8080 (LISTEN)
tinyproxy 805 tinyproxy 0u IPv4 16750 0t0 TCP *:8080 (LISTEN)
mysqld 823 mysql 20u IPv6 17479 0t0 TCP *:3306 (LISTEN)
pure-ftpd 844 root 4u IPv4 16289 0t0 TCP *:21 (LISTEN)
pure-ftpd 844 root 5u IPv6 16290 0t0 TCP *:21 (LISTEN)
master 967 root 13u IPv4 17225 0t0 TCP *:25 (LISTEN)
master 967 root 103u IPv4 17319 0t0 TCP 127.0.0.1:10025 (LISTEN)
dovecot 1001 root 24u IPv4 18600 0t0 TCP *:995 (LISTEN)
dovecot 1001 root 37u IPv6 18623 0t0 TCP *:993 (LISTEN)
httpd 24344 apache 4u IPv6 16328 0t0 TCP *:80 (LISTEN)
httpd 24344 apache 6u IPv6 16336 0t0 TCP *:443 (LISTEN)
/usr/bin/ 24911 root 5u IPv4 25208447 0t0 TCP 127.0.0.1:783 (LISTEN)
/usr/bin/ 24911 root 6u IPv6 25208449 0t0 TCP [::1]:783 (LISTEN)
spamd 24913 root 5u IPv4 25208447 0t0 TCP 127.0.0.1:783 (LISTEN)
spamd 24913 root 6u IPv6 25208449 0t0 TCP [::1]:783 (LISTEN)
/usr/sbin 24919 amavis 5u IPv4 25208583 0t0 TCP 127.0.0.1:10024 (LISTEN)
/usr/sbin 24919 amavis 6u IPv6 25208584 0t0 TCP [::1]:10024 (LISTEN)
smtpd 28403 postfix 6u IPv4 17225 0t0 TCP *:25 (LISTEN)
smtpd 28403 postfix 7u IPv6 17226 0t0 TCP *:25 (LISTEN)
The options used are as follows:
-n
: Do not convert port numbers to port names.-P
: Do not resolve hostnames, show numerical addresses.-iTCP -sTCP:LISTEN
: Show only network files with TCP state LISTEN.
To find what process is listening on a particular port, for example, port 3306, you would use:
$ sudo lsof -nP -iTCP:3306 -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 823 mysql 20u IPv6 17479 0t0 TCP *:3306 (LISTEN)
The output shows that the MySQL server uses port 3306.
For more about lsof
command in Linux, consult its manual page.
Check for Open Ports with nmap
Nmap, or Network Mapper, is an open-source Linux command-line tool for network exploration and security auditing. With nmap, server administrators can quickly reveal hosts and services, search for security issues, and scan open ports.
The nmap
command can be used to check a single port or a series of ports are open.
Here’s how to scan port 80 on the target system:
$ sudo nmap -p 80 192.168.0.1
Nmap scan report for 192.168.0.1
Host is up (0.000073s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Scan ports 1 through 200 on the target system:
$ sudo nmap -p 1-200 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-08-21 16:42 EEST
Nmap scan report for 192.168.0.1
Host is up (0.0000080s latency).
Not shown: 196 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
Code language: JavaScript (javascript)
Scan (fast) the most common ports:
$ sudo nmap -F 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-08-21 16:44 EEST
Nmap scan report for 192.168.0.1
Host is up (0.000014s latency).
Not shown: 89 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
Code language: JavaScript (javascript)
Bottom Line
In conclusion, checking which ports are open and what information can be obtained from the services accepting connections on those ports gives you the information you need to lock down your server.
For example, any extraneous information leaked out of your machine can be used by a malicious user to try to exploit known vulnerabilities or develop new ones. The less they can figure out, the better.