What is an Open Port?
This guide explains three easy methods to check for open ports on your Webdock server or any Linux VPS.
An open port is essentially a network communication endpoint where a running process or application listens for connections.
It is important to distinguish between listening ports and accessible ports. A service may be listening on a port, but your firewall might still block outside access to it. In this guide, we will use different tools to identify these listening ports so you can ensure your firewall is configured correctly. For a guide on managing your firewall, take a look at our UFW guide.
Prerequisites
- Webdock Cloud VPS – Ubuntu instance (18.04 or later)
- Shell access (SSH) to your VPS
Understanding Listening Interfaces (Localhost vs 0.0.0.0)
It is crucial to understand where a service is listening. The IP address displayed next to the port tells you who can connect to it:
-
127.0.0.1 (Localhost): If a service listens here, it is only accessible from the server itself. It cannot be reached from the outside internet.
-
*0.0.0.0 (All Interfaces) or : If you see this, the service is listening on all network interfaces. This means it is accessible from the internet unless explicitly blocked by a firewall.
Security Tip: If you see a sensitive service listening on 0.0.0.0, you must ensure it is protected by Iptables or UFW. Check your status by running sudo ufw status.
Method 1: Scan ports with Nmap
Network mapper or nmap is an open source tool used to scan networks and find open ports on a host. The following command will scan all the ports on the host.
$ sudo nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 06:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
In order to check a specific port whether it is open or not, use the -p option to specify the port.
$ sudo nmap -p 80 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 06:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000054s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Be careful using nmap as if you accidentally start scanning the entire network, you risk that your IP address will be banned.
Method 2: List listening sockets using lsof
The lsof (list open files) command, as name suggests, is used to list all the open files in linux. These files may be network sockets, disk files or devices opened by different processes. Use the lsof command along with the -nP options to list all open sockets.
$ sudo lsof -nP | grep LISTEN
...snip...
redis-ser 511 513 redis-ser redis 6u IPv4 662257788 0t0 TCP 127.0.0.1:6379 (LISTEN)
redis-ser 511 513 redis-ser redis 7u IPv6 662257789 0t0 TCP [::1]:6379 (LISTEN)
redis-ser 511 515 redis-ser redis 6u IPv4 662257788 0t0 TCP 127.0.0.1:6379 (LISTEN)
redis-ser 511 515 redis-ser redis 7u IPv6 662257789 0t0 TCP [::1]:6379 (LISTEN)
redis-ser 511 517 redis-ser redis 6u IPv4 662257788 0t0 TCP 127.0.0.1:6379 (LISTEN)
redis-ser 511 517 redis-ser redis 7u IPv6 662257789 0t0 TCP [::1]:6379 (LISTEN)
...snip...
List only the TCP open sockets.
$ sudo lsof -i tcp
...snip...
pure-ftpd 303 root 4u IPv4 662259745 0t0 TCP *:ftp (LISTEN)
pure-ftpd 303 root 5u IPv6 662259746 0t0 TCP *:ftp (LISTEN)
sshd 304 root 3u IPv4 662258731 0t0 TCP *:ssh (LISTEN)
sshd 304 root 4u IPv6 662258733 0t0 TCP *:ssh (LISTEN)
..snip...
For UDP open sockets, use the following command.
$ sudo lsof -i udp
systemd-r 254 systemd-resolve 12u IPv4 662203276 0t0 UDP localhost:domain
Method 3: Monitor network with netstat
The netstat (network statistic) command can be used to monitor and scan networks. Get a list of all tcp and udp open ports using the netstat command.
$ sudo netstat -l
...snip...
tcp 0 0 localhost:27017 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:6379 0.0.0.0:* LISTEN
tcp 0 0 localhost:11211 0.0.0.0:* LISTEN
...snip...
List TCP ports only.
$ sudo netstat -lt
...snip...
tcp 0 0 localhost:27017 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:6379 0.0.0.0:* LISTEN
tcp 0 0 localhost:11211 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ftp [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
...snip...
For UDP ports only.
$ sudo netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 localhost:domain 0.0.0.0:*
Method 4: Detailed socket stats with ss
The ss command is used to list detailed information of the network sockets. It provides more detailed information than the netstat command. List all the listening ports on a linux system.
$ sudo ss -l
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
nl UNCONN 0 0 rtnl:systemd/1 *
nl UNCONN 0 0 rtnl:kernel *
nl UNCONN 0 0 rtnl:systemd-resolve/254 *
nl UNCONN 0 0 rtnl:systemd-resolve/254 *
nl UNCONN 0 0 rtnl:systemd/1 *
...snip...
To list only TCP listening ports, use the -lt flag.
$ sudo ss -lt
...snip...
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
LISTEN 0 511 0.0.0.0:https 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
LISTEN 0 70 127.0.0.1:mysql 0.0.0.0:*
LISTEN 0 511 127.0.0.1:6379 0.0.0.0:*
...snip...
For UDP listening ports, use the -lu flag.
$ sudo ss -lu
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
Conclusion
Monitoring open ports is a vital part of server security. In this guide, we explored how to check for open ports on a Webdock server using four standard command-line tools: nmap, lsof, netstat, and ss.
Regardless of which tool you prefer, always ensure that services listening on public interfaces (0.0.0.0) are intended to be public, or secured behind a firewall like UFW.
These commands work seamlessly across all Webdock plans, even our most affordable VPS hosting plan.
