We often have to check open ports on our Linux server to troubleshoot server problems, configure a firewall, and improve our server’s security. There are many third-party tools for this available in the market. In this article, we will show you how to use nmap, netstat, ss, and lsof commands to check the open ports and find out the applications associated with those ports.
1. nmap
Nmap or Network Mapper is an open-source tool available in Linux OS for checking open ports, scanning for security vulnerabilities, network auditing, etc. Nmap can also discover system information like operating system's version, MAC address, software version, etc.
If nmap is not installed on your Linux system, then you can install it by executing the following commands in the terminal:
For Ubuntu/Debian OS:
sudo apt install nmapFor Redhat/CentOS/Fedora:
sudo dnf install nmapSyntax: nmap [Scan Type...] [Options] [IP or Hostname]
Scan one or multiple ports
Using nmap command, you can scan one or multiple ports. Let us scan port 443 on the target machine.
sudo nmap example.com -p 443
root@debian-11:~# sudo nmap example.com -p 443
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 05:00 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0022s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.06 secondsScan ports 1 through 100 on your local system
sudo nmap -p 1-100 localhost
root@debian-11:~# sudo nmap -p 1-100 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-15 12:18 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040ss latency).
Not shown: 98 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.05 secondsScan a whole Subnet
Using nmap, you can scan a whole Subnet or IP range by providing * wildcard with them: sudo nmap 159.223.105.*
root@debian-11:~# sudo nmap 159:223:105.*
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-15 12:20 UTC
Nmap scan report for 159.223.105.0
Host is up (0.013s latency).
All 1000 scanned ports on 159.223.105.0 are filtered
MAC Address: FE:00:00:00:01:01 (Unknown)Nmap scan report for 159:223:105:1
Host is up (0.0025s latency).Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: FE:00:00:00:01:01 (Unknown)Nmap scan report for 159.223.105.2
Host is up (0.0036s latency).
All 1000 scanned ports on 159.223.105.2 are filtered
MAC Address: FE:00:00:00:01:01 (Unknown)Nmap scan report for 159:223:105:3
Host is up (0.00071s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: FE:00:00:00:01:01 (Unknown)
If you have many hostnames written in a text file, you can read that file using nmap. Let us now assume that you have a file myhost.txt like the one given below:
$ cat myhost.txt
example.com
ubuntu.com
debian.com
Then, run the below command for port scanning: nmap -iL myhost.txt
root@debian-11:~# nmap -iL myhost.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-15 11:50 UTC
Warning: 130.89.148.77 giving up on port because retransmission cap hit (10).
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0026s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
Not shown: 996 filtered posts
PORT STATE SERVICE
80/tcp open http
443/tcp open https
1119/tcp closed bnetgame
1935/tcp closed rtmpNmap scan report for ubuntu.com (189:125:190:29)
Host is up (0.069s latency).
Other addresses for ubuntu.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
rDNS record for 189:125:190:29: website-connect-cache-3.canonical.com
Not shown: 994 filtered posts
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
443/tcp open https
646/tcp filtered ldp
873/tcp open rsyncNmap scan report for debian.com (130:89:148:77)
Host is up (0.088s latency).
Other addresses for debian.com (not scanned): 2604:400a:ffff:bb8:80lf:3e 2001:4f8:1:c::
rDNS record for 130:89:148:77: klecker-misc.debian.org
Not shown: 989 filtered posts
PORT STATE SERVICE
25/tcp filtered smtp
Scan TCP and UDP
You can scan TCP and UDP ports separately.
Scan TCP: sudo nmap -sT domain_name/IP
root@debian-11:~# sudo nmap -sT example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 06:46 UTC
Stats: 0:00:03 elapsed; 0 hosts completed (1up), 1 undergoing Connect Scan
Connect Scan Timing: About 81.65% done; ETC: 06:46 (0:00:01 remaining)
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0023s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
Not shown: 996 filtered posts
PORT STATE SERVICE
80/tcp open http
443/tcp open https
1119/tcp closed bnetgame
1935/tcp closed rtmpNmap done: 1 IP Address (1 host up) scanned in 3.99 seconds
Scan UDP
sudo nmap -sU domain_name/IP
sudo nmap -sU example.com
root@debian-11:~# sudo nmap -sT example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 06:46 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0016s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
Not shown: 998 open|filtered ports
PORT STATE SERVICE
443/udp open https
33459/udp closed unknownNmap done: 1 IP Address (1 host up) scanned in 4.05 seconds
Scan TCP and UDP ports:
sudo nmap -n -PN -sT -sU -p- domain_name/IP
sudo nmap -n -PN -sT -sU -p- localhost
root@debian-11:~# sudo nmap -n -PN -sT -sU -p- localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 06:53 UTC
Nmap scan report for example.com (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 131065 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
5432/tcp open postgresql
323/udp open|filtered unknownNmap done: 1 IP Address (1 host up) scanned in 5.40 seconds
Nmap can be used externally as well, and is one of system administrators’ most reliable network scanning tools.
2. Netstat command
Netstat is a command-line tool that runs from an internal server and quickly provides information about network connections. You can use netstat to print all open ports, get PID services running on that port, and so on.
Run the below command in terminal to print all open ports:
sudo netstat -ltup
Here is what the command arguments mean:
- l : Show only listening ports.
- t : Show only TCP ports.
- u : Show only UDP ports.
- p : List process name that opened those ports.
root@debian-11:~# sudo netstat -ltup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 761/sshd1: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 30709/node
tcp 0 0 localhost: PostgreSQL 0.0.0.0:* LISTEN 13993/postgres
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 31247/nginx: master
tcp6 0 0 [::]:ssh [::]:* LISTEN 761/sshd: /usr/sbin
upd 0 0 localhost:323 0.0.0.0:* 744/chronyd
upd6 0 0 ip6-localhost:323 [::]:* 744/chronydYou can use the grep command to find which application is listening on a particular port.
For example: sudo netstat -ltup | grep ssh
root@debian-11:~# sudo netstat -ltup | grep ssh
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 761/sshd: /usr/sbin
tcp 0 0 [::]:ssh [::]:* LISTEN 761/sshd: /usr/sbinThus, you can grep a specific port and find which application is bound with that port:
sudo netstat -lntup | grep ':3000'
root@debian-11:~# sudo netstat -lntup | grep ':3000'
tcp 0 0 0.0.0.0:”300 0.0.0.0:* LISTEN 30709/node
If you want to print out numeric values rather than program names, then execute the command as follows:
sudo netstat -lntup
root@debian-11:~# sudo netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 761/sshd1: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 30709/node
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 13993/postgres
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31247/nginx: master
tcp6 0 0 :::22 :::* LISTEN 761/sshd: /usr/sbin
upd 0 0 127.0.0.1:323 0.0.0.0:* 744/chronyd
upd6 0 0 ::1:323 : ::* 744/chronydIn this way, netstat is very effective for port scanning with the compulsion to execute the server’s netstat command.
3. The ss command
The ss command is very similar to netstat. Yet, one of the essential differences is that it is faster than netstat and gives you more detailed information than the netstat command. By simply running the ss command, one can get a detailed list of all connections.
sudo ssThe above command shows a list of all connections.
Next, you can check all open TCP sockets by running the following command in terminal:
sudo ss -tlpYou can check the difference between ss and netstat by executing both commands one by one as given below:
root@debian-11:~# netstat -tlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 709/nginx: master p
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 700/sshd: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 695/node
tcp 0 0 localhost:postgresql 0.0.0.0:* LISTEN 717/postgres
tcp6 0 0 [::]:ssh [::]:* LISTEN 700/sshd: /usr/sbin
root@debian-11:~# ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:http 0.0.0.0:* users:((“nginx”,pid=710,fd=6),(“nginx”,pid=710,fd=6))
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:((“sshd”, pid=700,fd=3))
LISTEN 0 511 0.0.0.0:3000 0.0.0.0:* users:((“node”, pid=695,fd=19))
LISTEN 0 244 127.0.0.1:postgresql 0.0.0.0:* users:((“node”, pid=717,fd=5))
LISTEN 0 128 [::]:ssh [::]:* users:((“sshd”, pid=700,fd=4))
Find ssh connections
With the ss command, you can easily find ssh connections by executing:
ss -t state established 'dport = :ssh or sport = :ssh'
root@debian-11:~# ss -t state established 'dport = :ssh or sport = :ssh'
Recv-Q Send-Q Local Address:Port Peer Address:Port Process
0 52 159.223.185.122:ssh 27.61.136.107.8584
0 0 159.223.185.122:ssh 218.92.0.205:61875
0 0 159.223.185.122:ssh 27.61.136.107.8593In short, the ss command is a modern replacement of the netstat command with speed and more details.
4. lsof command
lsof command available in most Linux distributions, which displays the list of open files. Run the below-given command to list all such network files: sudo lsof -i
root@debian-11:~# sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 695 wiki 18u IPv4 13156 0t0 TCP localhost:52450->localhost:postgresql (ESTABLISHED)
node 695 wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 wiki 24u IPv4 13532 0t0 TCP localhost:52464->localhost:postgresql (ESTABLISHED)
chronyd 699 _chrony 5u IPv4 12854 0t0 UDP localhost:323
chronyd 699 _chrony 6u IPv6 12855 0t0 UDP ip6-localhost:323
sshd 700 root 3u IPv4 12905 0t0 TCP *:ssh (LISTEN)
sshd 700 root 4u IPv6 12922 0t0 TCP *:ssh (LISTEN)
nginx 709 root 6u IPv4 12933 0t0 TCP *:http (LISTEN)
nginx 710 www-data 6u IPv4 12933 0t0 TCP *:http (LISTEN)
postgres 717 postgres 5u IPv4 13015 0t0 TCP localhost:postgresql (LISTEN)
postgres 717 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 719 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 720 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 721 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 722 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 723 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 724 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
sshd 725 root 4u IPv4 13048 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8584 (ESTABLISHED)
postgres 745 postgres 7u IPv4 13020 0t0 UDP localhost:43609->localhost:43609
postgres 745 postgres 8u IPv4 13157 0t0 TCP localhost:postgresql->localhost:52450 (ESTABLISHED)
postgres 792 postgres 7u IPv4 13020 0t0 UDP localhost:43609->localhost:43609
postgres 792 postgres 8u IPv4 13534 0t0 TCP localhost:postgresql->localhost:52464 (ESTABLISHED)
sshd 819 root 4u IPv4 13664 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8593 (ESTABLISHED)
sshd 1837 root 4u IPv4 23465 0t0 TCP 159.223.105.122:ssh->218.92.0.205:18594 (ESTABLISHED)Check all LISTEN network ports
You can use -nP option with lsof command to check all LISTEN network ports:
sudo lsof -nP | grep LISTEN
root@debian-11:~# sudo lsof -nP | grep LISTEN
node 695 wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 704 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 705 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 706 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 707 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 708 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 713 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 741 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 742 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 743 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 744 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
sshd 700 root 3u IPv4 12905 0t0 TCP *:22 (LISTEN)
sshd 700 root 4u IPv6 12922 0t0 TCP *:22 (LISTEN)
nginx 709 root 6u IPv4 12933 0t0 TCP *:80 (LISTEN)
nginx 710 www-data 6u IPv4 12933 0t0 TCP *:80 (LISTEN)
postgres 717 postgres 5u IPv4 13015 0t0 TCP 127.0.0.1:5432 (LISTEN)List TCP open ports
sudo lsof -i tcp
root@debian-11:~# sudo lsof -i tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 695 wiki 18u IPv4 13156 0t0 TCP localhost:52450->localhost:postgresql (ESTABLISHED)
node 695 wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 wiki 24u IPv4 13532 0t0 TCP localhost:52464->localhost:postgresql (ESTABLISHED)
sshd 700 root 3u IPv4 12905 0t0 TCP *:ssh (LISTEN)
sshd 700 root 4u IPv6 12922 0t0 TCP *:ssh (LISTEN)
nginx 709 root 6u IPv4 12933 0t0 TCP *:http (LISTEN)
nginx 710 www-data 6u IPv4 12933 0t0 TCP *:http (LISTEN)
postgres 717 postgres 5u IPv4 13015 0t0 TCP localhost:postgresql (LISTEN)
sshd 725 root 4u IPv4 13048 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8584 (ESTABLISHED)
postgres 745 postgres 8u IPv4 13157 0t0 TCP localhost:postgresql->localhost:52450 (ESTABLISHED)
postgres 792 postgres 8u IPv4 13534 0t0 TCP localhost:postgresql->localhost:52464 (ESTABLISHED)
sshd 819 root 4u IPv4 13664 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8593 (ESTABLISHED)
sshd 1885 root 4u IPv4 24176 0t0 TCP 159.223.105.122:ssh->218.181.185.159:48609 (ESTABLISHED)
sshd 1886 sshd 4u IPv4 24176 0t0 TCP 159.223.105.122:ssh->218.181.185.159:48609 (ESTABLISHED)Similarly, you can easily find out UDP ports by executing the following commands: sudo lsof -i udp
root@debian-11:~# sudo lsof -i udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 699 _chrony 5u IPv4 12854 0t0 UDP localhost:323
chronyd 699 _chrony 6u IPv6 12855 0t0 UDP ip6-localhost:323
postgres 717 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 719 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 720 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609We figured out how to check open ports on the Linux server, find them and the applications related to them. You can do much more than just check for open ports using these commands.