If you wanted to know what you need to do to list all of the open ports in a Linux instance you’ve come to the right place. But, what is a port and why would you want to have a list of all the open ports?
In short, a port is an access point that an operating system makes available so that it can facilitate network traffic with other devices or servers, while also differentiating the traffic in order to understand what service or app the traffic is being sent to.
There are two common protocols when it comes to ports: TCP, or the transmission control protocol; and of course, UDP – the user datagram protocol. Each of these protocols have a range of port numbers which is commonly classified into three groups:
Linux System Ports
Also known as “well-known” ports. These are port numbers from 0 to 1023 which are considered important for typical system use, commonly these ports are considered quite critical for ensuring ongoing communications services.
Linux User Ports
Also know as “registered ports” which range from 1024 to 49151. It is possible to send a request to the Internet Assigned Numbers Authority (IANA) to request retention of one of these ports for your application.
Linux Private Ports
Also known as “dynamic ports” range from 49152 to 65535. These ports are open for whatever use case you deem privately necessary and so are dynamic in nature – they are not fixed to specific applications.
Now, even though many ports have specific uses, it is important to keep an eye on ports which are “open” without the need for that port to be open. This is because ports that are unnecessarily left open can be a security risk – and also a sign that an intrusion is actively occurring.
Understanding which ports are open and “listening” for communications is therefore absolutely crucial to ensuring that you block efforts to break into your systems. Of course, some common ports need to be left open in order to facilitate ordinary internet communications. For example:
- FTP (the file transfer protocol) uses port 20 for data transfers
- Likewise, FTP uses port 21 to issue commands and to control the FTP session
- Port 22 is dedicated to SSH, or secure shell login
- Telnet uses port 23 to facilitate remote logins but this port entails unencrypted messaging which is not secure so it’s not really recommended for use
- E-mail routing via SMTP (the simple mail transfer protocol) is achieved on port 25
- Port 43 is dedicated to the WHOIS system which can check who owns a domain
- The domain name service (DNS) makes use of port 53
- DHCP uses port 67 as the server port, and port 68 as the client port
- HTTP, the hypertext transfer protocol, uses port 80 to deliver web pages
- POP3, the e-mail centric “post office protocol” uses port 110
- Port 119 is used by the news transfer protocol, NNTP
- The network time protocol, NTP, uses port 123
- IMAP, another email protocol, makes use of port 143 to retrieve email messages
- SNP or the simple network management protocol uses port 161
- Port 194 is dedicated to IRC, the internet relay chat app
- Port 443 is dedicated to HTTPS, the secure version of HTTP delivered over TLS/SSL
- SMTP, the simple mail transfer protocol, uses port 587 to submit emails
It is often possible to configure a specific service to use a port which is not the standard port, but this configuration needs to be made on both the sender and recipient side – in other words, on both client and server. Otherwise if only one side uses a non-standard port configuration communication won’t be possible.
How do you get a simple list of common ports that are open? Use this command:
$ cat /etc/services
Alternatively, you can modify the size of the list you get by adding “less” to your command
$ cat /etc/services | less
However, you can use a range of other commands on a Linux machine which will give you all the TCP and the UDP ports which are open and ready to receive communication from other machines. We will cover three in the following section – Isof, netstat and nmap.
The netstat or network statistics command
Most Linux distributions will include netstat by default, in their installations. It’s a really capable tool which can display all the TCP/IDP network connections that are active – both for incoming connections, and outgoing connections. It also displays routing tables plus the number of the network interface alongside comprehensive statistics for network protocols.
So, you can use netstat to troubleshoot and to measure the performance of your network. While basic, it is a useful and essential too for finding faults in network services. It clearly tells you which ports are open, and where a program or service is listening on a specific port. We will now give you some examples on how to make use of netstat.
Retrieving a list of all TCP and UDP ports which are currently listening
It’s simple really, just use the -a flag alongside a pipe that specifies less, this will give you TCP and UDP ports which are currently listening
$ netstat -a | less
To list all the connections that are listening
Make use of the -l flag in the netstat command to get a list of every port connection which is actively listening
$ netstat -l
Display ports that are open, alongside current TCP connections
Here, we combine a couple of flags in order to show a list of ports which are open and the established (TCP) connections.
$ netstat -vatn
A list of open UDP ports
You might only want to see the UDP ports which are open, excluding the open TCP ports. The command you need is this:
$ netstat -vaun
Get a list of your Linux services which are listening on TCP and UDP, a list of the open ports on your machine which are free, alongside the name and the PID of the service or program
This command gives you all the services and apps which listen on either TCP or UDP. It also gives you the open ports on your Linux instance which are free, plus the program name and process ID that is associated with every open socket.
$ netstat -tnlup
So you can see how the different commands you can use with netstat makes it very versatile, allowing you to see what the status quo is on your Linux machine. But what exactly does these individual flags mean? It’s simple really:
- -a will show all sockets that are listening and all non-listening sockets too
- -l only shows ports which are actively listening
- -v means “verbose” and tells netstat to include additional information about any address families that are not currently configured
- -t restricts the listing to TCP connections only
- -u restricts the listing to UDP connections only
- -n tells netstat to display the numerical addresses too
- -p adds the process ID (PID) as well as the name of the program
Keep in mind that the seven flags we’ve shown above are just a couple of the many flags you can specify for netstat. Check out the help file by triggering
$ man netstat
You’ll get a full listing of all the options and features you can make use of with netstat.
nmap – the Network Mapper command
An open source tool, nmap is great for exploring your network, scanning it for security vulnerabilities and to audit your network. That said, new users might find nmap challenging to use because it is so feature-rich: nmap comes with so many options that you might find it difficult to figure out, even if it does mean it is a very robust tool.
It’s worth remembering that nmap will deliver very extensive information about the network that it is scanning. So, do not use nmap on a network unless you have permission to examine it – permission to scan it, basically. You need to have a reason to use nmap, in other words, and the permission of the network owner.
We will now give you a basic overview of nmap including typical usage of the map command. To start off with, here is the instructions you need to install nmap if you have Ubuntu or Debian server:
$ sudo apt-get install nmap
The command is slightly different if you’re using RHEL or CentOS:
$ sudo yum install nmap
There’s a file you can view for a wider picture of ports and services. Use this command:
$ less /usr/share/nmap/nmap-services
It’s an example of exactly how extensive the details are when you use nmap as a tool. If you want to experiment with nmap you could try to check out your own virtual private server, but you could also give nmap a go on the official nmap test server – located at scanme.nmap.org.
In order to try out some basic nmap commands we will make use of sudo privileges to ensure that the queries give complete results – not partial results. Remember, some nmap commands will take a little bit longer to execute.
Throughout these examples we will make use of mywebsite.com as the example domain; replace your actual domain in place of mywebsite.com when you run this command.
Scanning for open ports on a domain
$ sudo nmap -vv mywebsite.com
Here you can see we have used the -vv flag, which has a specific function. When you use -vv it means “verbose”, in other words it will show you extensive output, including the process as nmap scans for open ports. Leave out the -vv flag and you will quickly see the difference.
List of ports that are listening for connections via TCP
$ sudo nmap -sT mywebsite.com
You’ll note the -sT flag, this is usually what you’d specify to scan for TCP connections when a SYN scan cannot be performed.
List of ports that are listening for connections via UDP
$ sudo nmap -sU mywebsite.com
So, -sU is what you use to get a UDP scan. However you can scan for both UDP and TCP connections by using another flag, -sS. You’ll get a list covering both UDP and TCP.
Look at a specific port (instead of all ports)
$ sudo nmap -p port_number mywebsite.com
In this case, -p means that you only look at the port number specified in place of “port_number”.
Scan every open port on both TCP and UDP
$ sudo nmap -n -Pn -sT -sU -p- mywebsite.com
We use two flags here: first -n which specified to nmap that it must not make a reverse domain resolution for an active IP address, where it finds one. -Pn disables pinging, treating all of the hosts as if they are online.
It’s just a few examples but nmap is a really fantastic tool than can help you a lot. Remember, typing $ man nmap will give you a full list of all the tools at your disposal; many of these are very useful for exploring the security of your network and to find potentially vulnerable points.
The lsof (List Open Files) command
It’s easy to remember what lsof means – the list open files command – just take ls as “list” and of as “open files” and you’ll clearly see why lsof means “list open files”.
Listing all active network connections
Use the -i flag with lsof in order to get a full list of every network connection which is both listening and established.
$ sudo lsof -i
Find a process that is using a specified port
As an example, for all processes which are currently operating on port 22, you’ll run this command:
$ sudo lsof -i TCP:22
Get a list of all the UDP and TCP connections
To list every single UDP and TCP connection just use this command:
$ sudo lsof -i tcp; sudo lsof -i udp;
Just like with nmap, you can check the manual for lsof in order to get a full view of all the options you have when you are using lsof.
So, to wrap up, Linux fans must understand at least a little bit about ports – particularly if they plan on managing Linux servers. We’ve given three examples of great tools – nmap, lsof and netstat – which will help you on the way to understanding which ports are open on your machine, and which services are active on your server.
We suggest that you take a look at the man pages for each of these commands so that you can get a better idea of what they do. While these tools are great for checking the exposure on your own network, never abuse any of these tools by scanning networks that do not belong to you.