How to Check Open Ports in Linux

A port in Linux is like a door number on your house, if your house was a server. Whenever someone wants to connect to your server, it needs to specify to which port it wants to connect. Depending on the port number, the server will route the request to a specific application, that will then handle the request. For example, most websites on Linux use the Apache web server application, and when the server receives a secure SSL request from the browser to display a page, it routes to port number 443 at the backend. Non-secure HTTP requests, use port number 80 instead. If you try and connect to port 80 using a secure HTTP request, the server will generate an error.

In this article, I’ll show you how to check for open ports on your Linux server, and why it’s so important to practice port hygiene.

Methods to Check for Open Ports on Linux

There are several commands that you can use on Linux to check for open ports. Here are examples of all of them.

1. Using Netstat

Netstat is an older Linux command used for displaying network information. Even though it’s considered slower these days and less detailed than other tools, it serves perfectly well to display the open ports on Linux. Here’s the command you can use:

netstat -tuln

This command uses the following options:

• t – We use this to display TCP connections. Most Internet applications use this
• u – This displays UDP connections. UDP is used for faster applications, where reliability is less important.
• l – This option displays only “listening” sockets. These show the open ports.
• n – We use this to tell netstat to not bother with DNS lookups for the IP addresses and usernames. It just gives us the numerical information, which is what we’re looking for.

The above command generates the following output:

In the above screenshot, the open port numbers are found in the marked column after the colon (:). So it tells us that the following ports are open:

1. 53
2. 33060
3. 3306
4. 25
5. 22

Each of the above ports are used by specific applications. You shouldn’t share the above information about the open ports on your server publicly. I don’t mind doing it, because I use this server for testing purposes, and it doesn’t matter too much. But switching up your port numbers is a good way to harden your server, so you don’t want the details to be public.

2. Using ss

The second tool for checking open ports on Linux is ss. SS is a more detailed tool compared to netstat, and is also much faster. But to check open ports in Linux, there’s no difference between the two tools. SS is used to investigate sockets – which are a combination of ports and IP addresses. To use SS, type the following command:

ss -tuln

As you can see, the parameters to use with ss are the same that you use with netstat and have the same interpretation. Here’s a screenshot of the output of SS for checking open sockets:

Like netstat, the output is very similar as well.

Using lsof

The lsof command is very useful for not only checking open ports but also the processes and files associated with them. “lsof” stands for “List Open Files”. In Linux, everything is treated as a file – even processes, so this command is great for our purposes. Here’s the usage:

sudo lsof -i -P -n | grep LISTEN

The lsof command uses the following parameters:

• i – This parameter instructs Linux to restrict its output to those files that are associated with network activity. Since we’re not interested in other processes, this helps narrow the output and makes it easy for us to read.
• P – The “P” parameter requests lsof to retain the actual port numbers instead of linking them to the service files. As a result, we see “80” as the port number instead of “http”
• n – As with ss and netstat, “n” ensures that lsof doesn’t convert IP addresses into host names. This makes the tool faster as it doesn’t have to consult the DNS databases.
• | grep LISTEN – This command takes the output of lsof and only includes those entries including the word “LISTEN”. This ensures that we only get a list of services that are listening on a port. Grep is a useful tool for this kind of thing. Here’s a tutorial on how to use grep for multiple strings.

Running the above command gives you the following output:

Here, you can see not only the open ports on the system but also the processes that listen on them. For example, we see that the SSH service “sshd” uses the default port number 22 and that MySQL uses port numbers 3306 and 33060 for regular and document storage options respectively.

Which Common Ports do We Need to Open?

There are some very common ports in Linux that you need to ensure remain open for proper functionality. These are:

1. SSH port – typically 22
2. HTTP – 80
3. Secure HTTP – 443
4. SMTP – 25
5. POP3 – 110
6. IMAP – 143
7. FTP – 21
8. IMAP SECURE – 993
9. POP3 SECURE – 995
10. MYSQL – 3306 AND 33060

These are just some of the ports that need to be open. It’s often a good idea to change the default ports, particularly for sensitive protocols like SSH so that hackers will have a harder time breaking in.

Best Practices Regarding Open Ports

Given that ports are essentially doorways into your server, it’s important to follow best practices while handling them. Here are some.

Principle of Least Privilege

The principle of least privilege states that users and applications must be given the least number of privileges necessary to perform their tasks. This means, for example, not giving a user write permissions on a file when they only need to read from it. In the context of open ports in Linux, it refers to the notion of closing off all ports on the system that you don’t require to be open.

Many systems have default ports that are open, and which might need closing for your particular circumstances. For example, I’ve shut off the mail system on my server because I use a third-party service for mail functionality and I don’t need the associated mail ports to remain open.

Monitor your Traffic for Suspicious Activity

You can set up your firewall to monitor suspicious traffic. For example, I’ve set up a rate-limiting filter that alerts to me to sudden bursts of traffic from the same IP address and temporarily bans them from the server. Instead of banning, you might want to analyze the traffic instead, to see if it’s legit. Use the data logs to monitor the ports at which the traffic arrives and see if any of them are unnecessarily open.

Conclusion

Checking which ports are open in Linux is easy. Several tools will do the job. I like to use lsof, because it also gives me the file name of the service that is associated with the open port, and I can determine if I want to keep using that service, or not. It’s important to practice port hygiene and ensure that you only keep the minimum number of ports open, that are necessary to run your server.