How to check for open ports on your Ubuntu server
Last updated: November 10th 2022
Introduction
This guide explains different methods to check for open ports on your Webdock server. An open port is a port on which some process or application is running and it can accept data. In this guide we will use different tools to find out which ports are open.
An open port is defined as a port which has a service listening and accepting connections. You may find that you have services listening on ports which despite this are not accessible from the internet. This is what your firewall does: Block access to ports which you haven't explicitly allowed access to. For a guide on managing your firewall, take a look at our UFW guide here.
Prerequisites
- Webdock cloud Ubuntu instance (18.04 or later)
- You have shell access to your VPS
The difference between addresses
It matters whether a service is listening to a port on 127.0.0.1 (localhost) or if it is listening on 0.0.0.0 - typically what this means is that a service listening on localhost is only accessible from the host machine itself and not the wider internet. If you see a service listening on all interfaces (*) or 0.0.0.0 then the service is accessible from the internet - unless actively firewalled, which you will need to check for in Iptables or by running "ufw status" if you use UFW to manage your firewall.
Check for open ports using nmap
Network mapper or nmap is an open source tool used to scan networks and find open ports on a host. The following command will scan all the ports on the host.
$ sudo nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 06:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
In order to check a specific port whether it is open or not, use the -p option to specify the port.
$ sudo nmap -p 80 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 06:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000054s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Be careful using nmap as if you accidentally start scanning the entire network, you risk that your IP address will be banned.
Check for open ports using lsof
The lsof (list open files) command, as name suggests, is used to list all the open files in linux. These files may be network sockets, disk files or devices opened by different processes. Use the lsof command along with the -nP options to list all open sockets.
$ sudo lsof -nP | grep LISTEN
...snip...
redis-ser 511 513 redis-ser redis 6u IPv4 662257788 0t0 TCP 127.0.0.1:6379 (LISTEN)
redis-ser 511 513 redis-ser redis 7u IPv6 662257789 0t0 TCP [::1]:6379 (LISTEN)
redis-ser 511 515 redis-ser redis 6u IPv4 662257788 0t0 TCP 127.0.0.1:6379 (LISTEN)
redis-ser 511 515 redis-ser redis 7u IPv6 662257789 0t0 TCP [::1]:6379 (LISTEN)
redis-ser 511 517 redis-ser redis 6u IPv4 662257788 0t0 TCP 127.0.0.1:6379 (LISTEN)
redis-ser 511 517 redis-ser redis 7u IPv6 662257789 0t0 TCP [::1]:6379 (LISTEN)
...snip...
List only the TCP open sockets.
$ sudo lsof -i tcp
...snip...
pure-ftpd 303 root 4u IPv4 662259745 0t0 TCP *:ftp (LISTEN)
pure-ftpd 303 root 5u IPv6 662259746 0t0 TCP *:ftp (LISTEN)
sshd 304 root 3u IPv4 662258731 0t0 TCP *:ssh (LISTEN)
sshd 304 root 4u IPv6 662258733 0t0 TCP *:ssh (LISTEN)
..snip...
For UDP open sockets, use the following command.
$ sudo lsof -i udp
systemd-r 254 systemd-resolve 12u IPv4 662203276 0t0 UDP localhost:domain
Check for open ports using netstat
The netstat (network statistic) command can be used to monitor and scan networks. Get a list of all tcp and udp open ports using the netstat command.
$ sudo netstat -l
...snip...
tcp 0 0 localhost:27017 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:6379 0.0.0.0:* LISTEN
tcp 0 0 localhost:11211 0.0.0.0:* LISTEN
...snip...
List TCP ports only.
$ sudo netstat -lt
...snip...
tcp 0 0 localhost:27017 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:6379 0.0.0.0:* LISTEN
tcp 0 0 localhost:11211 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ftp [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
...snip...
For UDP ports only.
$ sudo netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 localhost:domain 0.0.0.0:*
Check open ports using ss
The ss command is used to list detailed information of the network sockets. It provides more detailed information than the netstat command. List all the listening ports on a linux system.
$ sudo ss -l
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
nl UNCONN 0 0 rtnl:systemd/1 *
nl UNCONN 0 0 rtnl:kernel *
nl UNCONN 0 0 rtnl:systemd-resolve/254 *
nl UNCONN 0 0 rtnl:systemd-resolve/254 *
nl UNCONN 0 0 rtnl:systemd/1 *
...snip...
To list only TCP listening ports, use the -lt flag.
$ sudo ss -lt
...snip...
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 511 0.0.0.0:https 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
LISTEN 0 70 127.0.0.1:mysql 0.0.0.0:*
LISTEN 0 511 127.0.0.1:6379 0.0.0.0:*
...snip...
For UDP listening ports, use the -lu flag.
$ sudo ss -lu
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
Conclusion
There are different tools available to monitor open ports on your server. In this guide we discussed how we can check for open ports on Webdock server using different command line tools like nmap, ss, netstat and lsof.
Related articles
-
Server Security Checklist
In this article we list a number of things you should check if you are setting up a server from scratch as well as a few things which can enhance security on our Perfect Server Stacks.
Last updated: November 10th 2022
-
How to work with your firewall (UFW - Uncomplicated Firewall)
In this article we show how UFW - or Uncomplicated Firewall - works along with common commands and usage examples.
Last updated: January 10th 2024
-
SSH Security Configuration Settings
This article lists various settings for the SSH Daemon which impact server security.
Last updated: February 1st 2024
-
How to configure Fail2Ban for common services
How fail2ban can be configured for common services as well as how to utilize the fail2ban CLI tools to check status of various jails, unbanning users and more.
Last updated: August 22nd 2023
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 18.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Bionic 18.04.
Last updated: November 10th 2022
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 20.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Focal 20.04.
Last updated: March 8th 2024
-
How to configure Security Headers in Nginx and Apache
Here we outline which security headers are important to set in different scenarios in Nginx and Apache.
Last updated: November 10th 2022
-
How to enable Encryption for MariaDB
Enable Encryption of your database data with MariaDB as well as force all new tables created to be encrypted.
Last updated: October 29th 2024
-
How to Scan Your Webdock Server for Malware and Virus
This guide provides basic step-by-step instructions to install various tools to scan your server for malware and viruses.
Last updated: July 19th 2023
-
How To Use Our Free BotGuard Bot Protection
In this article we show you how to activate and use our Free BotGuard Bot Protection which is included for free with all our VPS servers.
Last updated: November 4th 2024
-
Enhancing Nginx Security with IP Filtering and Password
A guide to enhance Nginx security with IP filtering (specific IP, and, IP ranges) and Password
Last updated: November 25th 2023
-
Securing Ubuntu: How to Detect System Vulnerabilities
Detect system vulnerabilities using Vuls
Last updated: December 20th 2023
-
Secure VPS Communication with SSL and UFW
A detailed guide to securely your communicate with your servers without requiring a VLAN setup.
Last updated: March 4th 2024
-
Configuring UFW and Fail2Ban to Mitigate Basic DDos Attacks
Instructions to protect your server from basic DDos attacks using UFW and Fail2Ban
Last updated: May 28th 2024