How to Check for Open Ports in Linux with netstat, lsof and nmap

How To Check For Open Ports in Linux With netstat, lsof, And nmap

This article explains how to check for open ports using netstat, lsof and nmap commands to find out which services are listening on which ports.

When troubleshooting network connectivity or application-specific issues, one of the first things to check should be what ports are actually in use on your system and which application is listening on a specific port.

Network port is identified by its number, the associated IP address, and type of the communication protocol, such as TCP or UDP. Above all, open port is a network port on which an application or process listens on, acting as a communication endpoint.

Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations.

Check for Open Ports with netstat

netstat (network statistics) is a command line tool for monitoring network connections both incoming and outgoing as well as viewing routing tables, interface statistics etc. This tool is very important and much useful for Linux network administrators as well as system administrators to monitor and troubleshoot their network-related problems and determine network traffic performance.

To list all TCP or UDP ports that are being listened on, including the services using the ports and the socket status use the following command:

$ sudo netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      24919/amavisd    
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      967/master   
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      800/tinyproxy       
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      967/master          
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      844/pure-ftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      768/sshd            
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      967/master          
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1001/dovecot  
tcp6       0      0 :::3306                 :::*                    LISTEN      823/mysqld       
tcp6       0      0 ::1:783                 :::*                    LISTEN      24911/spamd.pid -d  
tcp6       0      0 :::80                   :::*                    LISTEN      781/httpd         
tcp6       0      0 :::21                   :::*                    LISTEN      844/pure-ftpd 
tcp6       0      0 :::22                   :::*                    LISTEN      768/sshd            
tcp6       0      0 :::25                   :::*                    LISTEN      967/master        
tcp6       0      0 :::993                  :::*                    LISTEN      1001/dovecot        
tcp6       0      0 :::995                  :::*                    LISTEN      1001/dovecot        
udp        0      0 0.0.0.0:47967           0.0.0.0:*                           460/avahi-daemon: r 
udp        0      0 127.0.0.1:123           0.0.0.0:*                           472/ntpd            
udp        0      0 0.0.0.0:123             0.0.0.0:*                           472/ntpd     
udp6       0      0 :::123                  :::*                                472/ntpd 

The options used in this command have the following meaning:

  • -t: Show TCP ports.
  • -u: Show UDP ports.
  • -l: Show only listening ports.
  • -n: Show numerical addresses instead of resolving hosts.
  • -p: Show the PID and name of the listener’s process. This information is shown only if you run the command as root or sudo user.

The important columns in our case are:

  • Proto – The protocol used by the socket.
  • Local Address – The IP Address and port number on which the process listen to.
  • PID/Program name – The PID and the name of the process.

In addition, if you want to filter the results, use the grep command . For example, to find what process listens on TCP port 22 you would type:

$ sudo netstat -tulnp | grep :22
tcp     0      0 0.0.0.0:22        0.0.0.0:*         LISTEN      768/sshd            
tcp6    0      0 :::22             :::*              LISTEN      768/sshd

If the output is empty it means that nothing is listening on the port.

Check for Open Ports with lsof

lsof meaning ‘LiSt Open Files’ is used to find out which files are open by which process. In Linux, everything is a file. You can think of a socket as a file that writes to the network.

To get a list of all listening TCP ports with lsof type:

$ sudo lsof -nP -iTCP -sTCP:LISTEN
COMMAND     PID      USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd        768      root    3u  IPv4    16112      0t0  TCP *:22 (LISTEN)
sshd        768      root    4u  IPv6    16114      0t0  TCP *:22 (LISTEN)
httpd       781      root    4u  IPv6    16328      0t0  TCP *:80 (LISTEN)
httpd       781      root    6u  IPv6    16336      0t0  TCP *:443 (LISTEN)
tinyproxy   800 tinyproxy    0u  IPv4    16750      0t0  TCP *:8080 (LISTEN)
tinyproxy   805 tinyproxy    0u  IPv4    16750      0t0  TCP *:8080 (LISTEN)
mysqld      823     mysql   20u  IPv6    17479      0t0  TCP *:3306 (LISTEN)
pure-ftpd   844      root    4u  IPv4    16289      0t0  TCP *:21 (LISTEN)
pure-ftpd   844      root    5u  IPv6    16290      0t0  TCP *:21 (LISTEN)
master      967      root   13u  IPv4    17225      0t0  TCP *:25 (LISTEN)
master      967      root  103u  IPv4    17319      0t0  TCP 127.0.0.1:10025 (LISTEN)
dovecot    1001      root   24u  IPv4    18600      0t0  TCP *:995 (LISTEN)
dovecot    1001      root   37u  IPv6    18623      0t0  TCP *:993 (LISTEN)
httpd     24344    apache    4u  IPv6    16328      0t0  TCP *:80 (LISTEN)
httpd     24344    apache    6u  IPv6    16336      0t0  TCP *:443 (LISTEN)
/usr/bin/ 24911      root    5u  IPv4 25208447      0t0  TCP 127.0.0.1:783 (LISTEN)
/usr/bin/ 24911      root    6u  IPv6 25208449      0t0  TCP [::1]:783 (LISTEN)
spamd     24913      root    5u  IPv4 25208447      0t0  TCP 127.0.0.1:783 (LISTEN)
spamd     24913      root    6u  IPv6 25208449      0t0  TCP [::1]:783 (LISTEN)
/usr/sbin 24919    amavis    5u  IPv4 25208583      0t0  TCP 127.0.0.1:10024 (LISTEN)
/usr/sbin 24919    amavis    6u  IPv6 25208584      0t0  TCP [::1]:10024 (LISTEN)
smtpd     28403   postfix    6u  IPv4    17225      0t0  TCP *:25 (LISTEN)
smtpd     28403   postfix    7u  IPv6    17226      0t0  TCP *:25 (LISTEN)

The options used are as follows:

  • -n: Do not convert port numbers to port names.
  • -P: Do not resolve hostnames, show numerical addresses.
  • -iTCP -sTCP:LISTEN: Show only network files with TCP state LISTEN.

To find what process is listening on a particular port, for example, port 3306 you would use:

$ sudo lsof -nP -iTCP:3306 -sTCP:LISTEN
COMMAND PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mysqld  823 mysql   20u  IPv6  17479      0t0  TCP *:3306 (LISTEN)

The output shows that MySQL server uses port 3306.

Check for Open Ports with nmap

nmap, or Network Mapper, is an open source Linux command line tool for network exploration and security auditing. With nmap, server administrators can quickly reveal hosts and services, search for security issues, and scan for open ports.

nmap commands can be used to scan a single port or a series of ports.

Scan port 80 on the target system:

$ sudo nmap -p 80 192.168.0.1
Nmap scan report for 192.168.0.1
Host is up (0.000073s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Scan ports 1 through 200 on the target system:

$ sudo nmap -p 1-200 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-08-21 16:42 EEST
Nmap scan report for 192.168.0.1
Host is up (0.0000080s latency).
Not shown: 196 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
25/tcp open  smtp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

Scan (Fast) the most common ports:

$ sudo nmap -F 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-08-21 16:44 EEST
Nmap scan report for 192.168.0.1
Host is up (0.000014s latency).
Not shown: 89 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds

Bottom Line

In conclusion, discovering which ports are open and what information can be obtained from the services accepting connections on those ports gives you the information that you need to lock down your server. For example, any extraneous information leaked out of your machine can be used by a malicious user to try to exploit known vulnerabilities or develop new ones. The less they can figure out, the better.

If this guide has helped you, please consider buying us a coffee.

Buy me a coffee!

Your support and encouragement are greatly appreciated!

Leave a Reply

Your email address will not be published.

Latest from Tips & Tricks