try.directtry.direct

How to Check Open Ports On a Linux Server?

We often have to check open ports on our Linux server to troubleshoot server problems, configure a firewall, and improve our server’s security. There are many third-party tools for this available in the market. In this article, we will show you how to use nmap, netstat, ss, and lsof commands to check the open ports and find out the applications associated with those ports.


1. nmap


Nmap or Network Mapper is an open-source tool available in Linux OS for checking open ports, scanning for security vulnerabilities, network auditing, etc. Nmap can also discover system information like operating system's version, MAC address, software version, etc.

If nmap is not installed on your Linux system, then you can install it by executing the following commands in the terminal:


For Ubuntu/Debian OS:


sudo apt install nmap

bash


For Redhat/CentOS/Fedora:


sudo dnf install nmap

bash


Syntax: nmap [Scan Type...] [Options] [IP or Hostname]


Scan one or multiple ports


Using nmap command, you can scan one or multiple ports. Let us scan port 443 on the target machine.

Syntax: nmap <host/ip> -p <port>


nmap example.com -p 443

bash


root@debian-11:~# nmap example.com -p 443
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 05:00 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0022s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c8:1946
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Scan ports 1 through 100 on your local system

Syntax: nmap -p 1-100 localhost


nmap -p 1-100 localhost

bash


root@debian-11:~# nmap -p 1-100 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-15 12:18 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040ss latency).
Not shown: 98 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Scan a whole Subnet

Using nmap, you can scan a whole Subnet or IP range by providing * wildcard with them: sudo nmap 159.223.105.*


root@debian-11:~# sudo nmap 159:223:105.*
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-15 12:20 UTC
Nmap scan report for 159.223.105.0
Host is up (0.013s latency).
All 1000 scanned ports on 159.223.105.0 are filtered
MAC Address: FE:00:00:00:01:01 (Unknown)
Nmap scan report for 159:223:105:1
Host is up (0.0025s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: FE:00:00:00:01:01 (Unknown)
Nmap scan report for 159.223.105.2
Host is up (0.0036s latency).
All 1000 scanned ports on 159.223.105.2 are filtered
MAC Address: FE:00:00:00:01:01 (Unknown)
Nmap scan report for 159:223:105:3
Host is up (0.00071s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https


MAC Address: FE:00:00:00:01:01 (Unknown)

If you have many hostnames written in a text file, you can read that file using nmap. Let us now assume that you have a file myhost.txt like the one given below:


$ cat myhost.txt
example.com
ubuntu.com
debian.com


Then, run the below command for port scanning:


nmap -iL myhosts.txt

bash


root@debian-11:~# nmap -iL myhost.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-15 11:50 UTC
Warning: 130.89.148.77 giving up on port because retransmission cap hit (10).
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0026s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
Not shown: 996 filtered posts
PORT STATE SERVICE
80/tcp open http
443/tcp open https
1119/tcp closed bnetgame
1935/tcp closed rtmp
Nmap scan report for ubuntu.com (189:125:190:29)
Host is up (0.069s latency).
Other addresses for ubuntu.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
rDNS record for 189:125:190:29: website-connect-cache-3.canonical.com
Not shown: 994 filtered posts
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
443/tcp open https
646/tcp filtered ldp
873/tcp open rsync
Nmap scan report for debian.com (130:89:148:77)
Host is up (0.088s latency).
Other addresses for debian.com (not scanned): 2604:400a:ffff:bb8:80lf:3e 2001:4f8:1:c::
rDNS record for 130:89:148:77: klecker-misc.debian.org
Not shown: 989 filtered posts
PORT STATE SERVICE
25/tcp filtered smtp

Scan TCP and UDP

You can scan TCP and UDP ports separately.
Scan TCP: sudo nmap -sT domain_name/IP


nmap -sT example.com

bash


root@debian-11:~# sudo nmap -sT example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 06:46 UTC
Stats: 0:00:03 elapsed; 0 hosts completed (1up), 1 undergoing Connect Scan
Connect Scan Timing: About 81.65% done; ETC: 06:46 (0:00:01 remaining)
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0023s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
Not shown: 996 filtered posts
PORT STATE SERVICE
80/tcp open http
443/tcp open https
1119/tcp closed bnetgame
1935/tcp closed rtmp
Nmap done: 1 IP Address (1 host up) scanned in 3.99 seconds

Scan UDP


Syntax: sudo nmap -sU domain_name/IP


nmap -sU example.com

bash


root@debian-11:~# sudo nmap -sT example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 06:46 UTC
Nmap scan report for example.com (93.184.216.34)
Host is up (0.0016s latency).
Other addresses for example.com (not scanned): 2606:2800:220:1:248:1893:25c81:1946
Not shown: 998 open|filtered ports
PORT STATE SERVICE
443/udp open https
33459/udp closed unknown
Nmap done: 1 IP Address (1 host up) scanned in 4.05 seconds

Scan TCP and UDP ports:


sudo nmap -n -PN -sT -sU -p- domain_name/IP
sudo nmap -n -PN -sT -sU -p- localhost


nmap -n -PN -sT -sU -p- localhost

bash


root@debian-11:~# nmap -n -PN -sT -sU -p- localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 06:53 UTC
Nmap scan report for example.com (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 131065 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
5432/tcp open postgresql
323/udp open|filtered unknown
Nmap done: 1 IP Address (1 host up) scanned in 5.40 seconds

Nmap can be used externally as well, and is one of system administrators’ most reliable network scanning tools.


2. Netstat command


Netstat is a command-line tool that runs from an internal server and quickly provides information about network connections. You can use netstat to print all open ports, get PID services running on that port, and so on.

Run the below command in terminal to print all open ports:

Syntax: sudo netstat -ltup

Here is what the command arguments mean:
- l : Show only listening ports.
- t : Show only TCP ports.
- u : Show only UDP ports.

- p : List process name that opened those ports.


netstat -ltup

bash


root@debian-11:~# netstat -ltup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 761/sshd1: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 30709/node
tcp 0 0 localhost: PostgreSQL 0.0.0.0:* LISTEN 13993/postgres
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 31247/nginx: master
tcp6 0 0 [::]:ssh [::]:* LISTEN 761/sshd: /usr/sbin
upd 0 0 localhost:323 0.0.0.0:* 744/chronyd
upd6 0 0 ip6-localhost:323 [::]:* 744/chronyd

You can use the grep command to find which application is listening on a particular port.

For example: netstat -ltup | grep ssh


netstat -ltup | grep ssh

bash


root@debian-11:~# netstat -ltup | grep ssh
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 761/sshd: /usr/sbin
tcp 0 0 [::]:ssh [::]:* LISTEN 761/sshd: /usr/sbin

Thus, you can grep a specific port and find which application is bound with that port:
netstat -lntup | grep ':3000'


netstat -lntup | grep ':3000'

bash


root@debian-11:~# netstat -lntup | grep ':3000'
tcp 0 0 0.0.0.0:”300 0.0.0.0:* LISTEN 30709/node


If you want to print out numeric values rather than program names, then execute the command as follows:
sudo netstat -lntup


netstat -lntup

bash


root@debian-11:~# sudo netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 761/sshd1: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 30709/node
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 13993/postgres
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31247/nginx: master
tcp6 0 0 :::22 :::* LISTEN 761/sshd: /usr/sbin
upd 0 0 127.0.0.1:323 0.0.0.0:* 744/chronyd
upd6 0 0 ::1:323 : ::* 744/chronyd

In this way, netstat is very effective for port scanning with the compulsion to execute the server’s netstat command.


3. The ss command


The ss command is very similar to netstat. Yet, one of the essential differences is that it is faster than netstat and gives you more detailed information than the netstat command. By simply running the ss command, one can get a detailed list of all connections.

ss

bash


The above command shows a list of all connections.
Next, you can check all open TCP sockets by running the following command in terminal:

sudo ss -tlp

bash


You can check the difference between ss and netstat by executing both commands one by one as given below:


root@debian-11:~# netstat -tlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 709/nginx: master p
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 700/sshd: /usr/sbin
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 695/node
tcp 0 0 localhost:postgresql 0.0.0.0:* LISTEN 717/postgres
tcp6 0 0 [::]:ssh [::]:* LISTEN 700/sshd: /usr/sbin

root@debian-11:~# ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:http 0.0.0.0:* users:((“nginx”,pid=710,fd=6),(“nginx”,pid=710,fd=6))
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:((“sshd”, pid=700,fd=3))
LISTEN 0 511 0.0.0.0:3000 0.0.0.0:* users:((“node”, pid=695,fd=19))
LISTEN 0 244 127.0.0.1:postgresql 0.0.0.0:* users:((“node”, pid=717,fd=5))
LISTEN 0 128 [::]:ssh [::]:* users:((“sshd”, pid=700,fd=4))

Find ssh connections


With the ss command, you can easily find ssh connections by executing:


ss -t state established 'dport = :ssh or sport = :ssh'

bash


root@debian-11:~# ss -t state established 'dport = :ssh or sport = :ssh'
Recv-Q Send-Q Local Address:Port Peer Address:Port Process
0 52 159.223.185.122:ssh 27.61.136.107.8584
0 0 159.223.185.122:ssh 218.92.0.205:61875
0 0 159.223.185.122:ssh 27.61.136.107.8593

In short, the ss command is a modern replacement of the netstat command with speed and more details.


4. lsof command


lsof command available in most Linux distributions, which displays the list of open files. Run the below-given command to list all such network files:


sudo lsof -i

bash


root@debian-11:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 695 wiki 18u IPv4 13156 0t0 TCP localhost:52450->localhost:postgresql (ESTABLISHED)
node 695 wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 wiki 24u IPv4 13532 0t0 TCP localhost:52464->localhost:postgresql (ESTABLISHED)
chronyd 699 _chrony 5u IPv4 12854 0t0 UDP localhost:323
chronyd 699 _chrony 6u IPv6 12855 0t0 UDP ip6-localhost:323
sshd 700 root 3u IPv4 12905 0t0 TCP *:ssh (LISTEN)
sshd 700 root 4u IPv6 12922 0t0 TCP *:ssh (LISTEN)
nginx 709 root 6u IPv4 12933 0t0 TCP *:http (LISTEN)
nginx 710 www-data 6u IPv4 12933 0t0 TCP *:http (LISTEN)
postgres 717 postgres 5u IPv4 13015 0t0 TCP localhost:postgresql (LISTEN)
postgres 717 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 719 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 720 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 721 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 722 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 723 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 724 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
sshd 725 root 4u IPv4 13048 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8584 (ESTABLISHED)
postgres 745 postgres 7u IPv4 13020 0t0 UDP localhost:43609->localhost:43609
postgres 745 postgres 8u IPv4 13157 0t0 TCP localhost:postgresql->localhost:52450 (ESTABLISHED)
postgres 792 postgres 7u IPv4 13020 0t0 UDP localhost:43609->localhost:43609
postgres 792 postgres 8u IPv4 13534 0t0 TCP localhost:postgresql->localhost:52464 (ESTABLISHED)
sshd 819 root 4u IPv4 13664 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8593 (ESTABLISHED)
sshd 1837 root 4u IPv4 23465 0t0 TCP 159.223.105.122:ssh->218.92.0.205:18594 (ESTABLISHED)

Check all LISTEN network ports

You can use -nP option with lsof command to check all LISTEN network ports:


lsof -nP | grep LISTEN

bash


root@debian-11:~# lsof -nP | grep LISTEN
node 695 wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 704 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 705 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 706 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 707 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 708 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 713 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 741 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 742 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 743 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 744 node wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
sshd 700 root 3u IPv4 12905 0t0 TCP *:22 (LISTEN)
sshd 700 root 4u IPv6 12922 0t0 TCP *:22 (LISTEN)
nginx 709 root 6u IPv4 12933 0t0 TCP *:80 (LISTEN)
nginx 710 www-data 6u IPv4 12933 0t0 TCP *:80 (LISTEN)
postgres 717 postgres 5u IPv4 13015 0t0 TCP 127.0.0.1:5432 (LISTEN)


List TCP open ports

Syntax: sudo lsof -i tcp


lsof -i tcp

bash


root@debian-11:~# lsof -i tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 695 wiki 18u IPv4 13156 0t0 TCP localhost:52450->localhost:postgresql (ESTABLISHED)
node 695 wiki 19u IPv4 13520 0t0 TCP *:3000 (LISTEN)
node 695 wiki 24u IPv4 13532 0t0 TCP localhost:52464->localhost:postgresql (ESTABLISHED)
sshd 700 root 3u IPv4 12905 0t0 TCP *:ssh (LISTEN)
sshd 700 root 4u IPv6 12922 0t0 TCP *:ssh (LISTEN)
nginx 709 root 6u IPv4 12933 0t0 TCP *:http (LISTEN)
nginx 710 www-data 6u IPv4 12933 0t0 TCP *:http (LISTEN)
postgres 717 postgres 5u IPv4 13015 0t0 TCP localhost:postgresql (LISTEN)
sshd 725 root 4u IPv4 13048 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8584 (ESTABLISHED)
postgres 745 postgres 8u IPv4 13157 0t0 TCP localhost:postgresql->localhost:52450 (ESTABLISHED)
postgres 792 postgres 8u IPv4 13534 0t0 TCP localhost:postgresql->localhost:52464 (ESTABLISHED)
sshd 819 root 4u IPv4 13664 0t0 TCP 159.223.105.122:ssh->27.61.136.107:8593 (ESTABLISHED)
sshd 1885 root 4u IPv4 24176 0t0 TCP 159.223.105.122:ssh->218.181.185.159:48609 (ESTABLISHED)
sshd 1886 sshd 4u IPv4 24176 0t0 TCP 159.223.105.122:ssh->218.181.185.159:48609 (ESTABLISHED)

Similarly, you can easily find out UDP ports by executing the following commands: sudo lsof -i udp


lsof -i udp

bash


root@debian-11:~# lsof -i udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 699 _chrony 5u IPv4 12854 0t0 UDP localhost:323
chronyd 699 _chrony 6u IPv6 12855 0t0 UDP ip6-localhost:323
postgres 717 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 719 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609
postgres 720 postgres 7u IPv4 13020 0t0 TCP localhost:43609->localhost:43609

We figured out how to check open ports on the Linux server, find them and the applications related to them. You can do much more than just check for open ports using these commands.