Skip to main content

Why

Ports are how applications, services, and processes communicate - either locally within your server or with other devices on the network. When applications like SSH or Apache run on your server, they listen for requests on specific ports. You want to know exactly which ports are open and what services are using them. Unknown open ports could indicate rogue or potentially dangerous services that need to be investigated.

Goals

  • Identify all non-localhost ports that are open and listening for connections
  • Verify that only expected services are listening on the network

References

Using ss to List Listening Ports

To see all ports listening for traffic: 
sudo ss -lntup
Example output: 
Netid  State      Recv-Q Send-Q     Local Address:Port     Peer Address:Port
udp    UNCONN     0      0                      *:68                  *:*        users:(("dhclient",pid=389,fd=6))
tcp    LISTEN     0      128                    *:22                  *:*        users:(("sshd",pid=4390,fd=3))
tcp    LISTEN     0      128                   :::22                 :::*        users:(("sshd",pid=4390,fd=4))

Switch Explanations

SwitchDescription
-lDisplay listening sockets
-nDo not try to resolve service names
-tDisplay TCP sockets
-uDisplay UDP sockets
-pShow process information

Understanding the Output

Each line in the output shows:
  • Netid - Protocol (tcp/udp)
  • State - Connection state (LISTEN, UNCONN)
  • Local Address:Port - Address and port the service is listening on
    • *:22 - Listening on all IPv4 interfaces on port 22
    • :::22 - Listening on all IPv6 interfaces on port 22
    • 127.0.0.1:25 - Only listening on localhost (loopback)
  • Peer Address - Remote connection details
  • users - Process name and PID using the port
Services listening only on 127.0.0.1 (localhost) are not accessible from the network and are generally less of a security concern.

What to Look For

When reviewing the output:
1

Identify all listening ports

Make a list of all ports that are listening on network interfaces (not just localhost).
2

Verify expected services

For each listening port, verify:
  • You know what service is using it
  • You expect that service to be running
  • You need that service to be accessible on the network
3

Investigate suspicious entries

If you see:
  • Unknown ports
  • Unexpected processes
  • Services you don’t recognize
  • Ports that shouldn’t be open
Investigate immediately and remediate as necessary.

Common Ports and Services

PortServiceDescription
22SSHSecure Shell remote access
25SMTPMail server
80HTTPWeb server
443HTTPSSecure web server
3306MySQLDatabase server
5432PostgreSQLDatabase server
53DNSDomain name service

Additional ss Commands

# Show all established connections
sudo ss -tnp

# Show listening TCP ports only
sudo ss -lntp

# Show listening UDP ports only
sudo ss -lnup

# Show statistics
sudo ss -s

# Filter by specific port
sudo ss -lntp 'sport = :22'

# Show all connections to a specific port
sudo ss -tnp 'sport = :80'

Regular Auditing

Regularly audit your listening ports as part of your security routine. Run this check:
  • After installing new software
  • After system updates
  • As part of periodic security reviews
  • When investigating potential security issues

Taking Action

If you find unexpected services:
  1. Identify the service: Note the process name and PID
  2. Research: Determine what the service does and why it’s running
  3. Stop if unneeded: 
    sudo systemctl stop service-name
sudo systemctl disable service-name
  4. Remove if malicious: 
    sudo apt remove package-name
  5. Configure firewall: Ensure your firewall blocks unexpected ports
Be careful when stopping services. Some system services are required for proper operation. Research before disabling.

Build docs developers (and LLMs) love

Get started for freeTalk to us