How can we check the used and free TCP/UDP ports of our Debian or Ubuntu Linux operating system?

botond published 2022/10/23, v - 08:20 time

Content

 

Introductory

One Linux several services can work on an operating system, especially on a more complex web server installation. These services communicate through different TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) ports on the network interface. A listening port is a network port on which an application or process listens and acts as a communication endpoint.

Checking ports is an important task from several points of view. On the one hand, for the sake of security, we must monitor the open ports and the communication on them, most of which can be checked by reviewing the log files generated by the various services, but we can even check the ports directly to see if communication is taking place on them and if it is within the framework of normal operation is happening or someone is currently attacking our server. On the other hand, we can also reduce the number of error possibilities that result from several similar services using the same port. In this case, one of the services must be individually converted so that it does not use the same port. Furthermore, taking security into account, we can also search for free unique ports for specific services for the purpose of prevention, so that they do not use the default - at the same time known - ports, thereby reducing the number of attack attempts.

For whatever reason the ports are checked and checked, in this description we will review some commands and methods that can be used to check their operation effectively.

 

 

Overview of Ports

First, let's take a look at the numbering of the ports to better understand their structure.

Port numbers and ranges

The number of ports can be an integer in the range 0 to 65535, which range is divided into three main parts:

  • 0-1023: The more well-known ports that are assigned to some service, and the system controls these ports.
    Therefore, we cannot use our own unique ports in this range. More on these below...
  • 1024-49151:  Registered ports. Ports in this range are not assigned or controlled, but can be registered to avoid duplication.
    You can use your own unique ports in this range, but always make sure that no service is running on that port.
  • 49152-65535:  Dynamic ports. Ports in this range are not assigned, controlled, or registered. Used for temporary or private ports. These are also known as private or non-reserved ports. Clients choose temporary port numbers from this range, but not all systems allow this.
    We can also choose a port number from this range, but let's also make sure that nothing below it works.

Well-known ports and services

Here are some common services from the lower (0-1023) address range and their default port numbers (non-exhaustive):

  • 20/21 (TCP): FTP
  • 22 (TCP): SSH
  • 23 (TCP): telnet
  • 25 (TCP/UDP): SMTP
  • 53 (TCP/UDP): DNS
  • 67/68 (UDP): DHCP
  • 69 (UDP): Tftp
  • 80 (TCP): HTTP
  • 110 (TCP): POP3
  • 123 (UDP): NTP
  • 137/138/139 (TCP/UDP): NetBIOS
  • 143 (TCP): IMAP (without SSL/TLS or STARTTLS)
  • 161/162 (TCP/UDP): SNMP
  • 179 (TCP): BGP
  • 389 (TCP/UDP): LDAP
  • 443 (TCP): HTTPS
  • 465 (TCP/UDP): SMTP (TLS)
  • 587 (TCP/UDP): SMTP (TLS)
  • 636 (TCP/UDP): LDAPS
  • 989/990 (TCP): FTPS
  • 993 (TCP): IMAPS (IMAP using SSL/TLS)

See the full list at / etc / services file can be viewed:

cat /etc/services

The file contains the services that, if installed, will listen to incoming data packets on the specified port number.

 

Commands for checking ports

There are several commands for checking network ports, and these commands can also be classified into two types of use (internal or external use). In this section, we will look at some examples of these.

The following examples are one Debian 10 (Buster) Perfect Server 1.0 after installation, that is On version 1.1 I will implement it, since there are already enough services on this server to demonstrate the control and examination of the ports with them.

Commands for checking ports internally

The commands for checking from within are run from the server itself and are used to check the services and ports running on the server, i.e. "own".

Let's see the commands that can be used for this purpose!

netstat

A netstat command to display network connections and interface statistics. For full use root authorization is required. To install it on Debian/Ubuntu systems, run the following command:

sudo apt-get install net-tools
List of listen ports

To list the waiting (listener) ports, run the following command:

sudo netstat -tunlp

Where the meanings of the switches are as follows:

  • -t: Show TCP ports
  • -you: Show UDP ports
  • on: IP addresses use instead of hostnames.
  • -l: It lists only the "listening" (listen) ports, i.e. those which are monitored by some service (daemon)
  • -p: It also displays the process ID and name of the listening process.

And the output is:

Using the netstat command

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      22616/dovecot
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      22616/dovecot
tcp        0      0 127.0.0.1:10023         0.0.0.0:*               LISTEN      708/postgrey --pidf
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      21188/amavisd-new (
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      20373/master
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN      21188/amavisd-new (
tcp        0      0 127.0.0.1:10027         0.0.0.0:*               LISTEN      20373/master
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      20373/master
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      500/memcached
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      22616/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      22616/dovecot
[...]

Meaning of the columns of the resulting output:

  • Therefore: The type of protocol used (tcp, udp, udpl or raw). "tcp6" is the data for IPv6 addresses.
  • Recv-Q: If there is a non-zero value here, it means that the data is still in the TCP/IP receive buffer, but has not yet been written to the application buffer.
  • Send-Q: Same as above, only from the sending side: data has been placed in the TCP/IP send buffer but not yet sent, or sent but not yet acknowledged. If there is a high value here, it may be caused by, for example, network congestion or server performance, etc.
  • Local Address: The IP address and port number of the local endpoint of the data transfer. If not specified a -n switch, then the command resolves the IP address and displays the hostname instead, which is "localhost" on the local endpoint.
  • Foreign Address: The IP address and port number of the remote endpoint of the data transfer. If not specified a -n switch, then the command resolves the IP address of the machine sending or receiving data remotely, and instead displays the hostname to which the DNS you get it thanks to the service.
    "0.0.0.0:*" in the current example means that the system is waiting for connections from any IP address and (remote) port.
  • State: Condition. The "LISTEN" signal means that the system is waiting for incoming new connections on the specified ports, which appear because the -l or the -a we ran the command with a switch.
  • PID/Program name: Display the process ID (PID) and name of the process that owns the connection, which is the -p is output to the command as a result of the switch. The display of this information requires root privileges, especially if there are also processes running that are not owned by the user running the netstat command.

With this example, we can display the ports where our server is waiting for incoming connections. We can see here, for example, IMAPS (IMAP over SSL) service by the Dovecot mail server on ports 993 and 995, and the traditional (not SSL/TLS encrypted) version on ports 110 and 143, MySQL server on port 3306, Apache2 web server at 80 (HTTP), 8080 (ISPConfig access) and 443 (HTTPS) ports, and quite a few other services, which are all waiting for connections from remote clients.

 

 

List of ports in active use

But what if we want to see which services something is currently connected to? The following example serves for this:

sudo netstat -tunp

We simply took out the -l switch. And the output is:

Using the netstat command - Current connections

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:143           127.0.0.1:50548         TIME_WAIT   -
tcp        0      0 192.168.1.130:22        192.168.1.100:41616     ESTABLISHED 9269/sshd: linuxpor
tcp        0      0 127.0.0.1:50548         127.0.0.1:143           TIME_WAIT   -
tcp6       0      0 192.168.1.130:8080      192.168.1.3:62302       TIME_WAIT   -
tcp6       0      0 192.168.1.130:443       192.168.1.3:62543       TIME_WAIT   -
tcp6       0      0 192.168.1.130:8080      192.168.1.3:62390       TIME_WAIT   -
tcp6       0      0 192.168.1.130:443       192.168.1.3:62544       TIME_WAIT   -
tcp6       0      0 192.168.1.130:443       192.168.1.3:62542       TIME_WAIT   -
tcp6       0      0 192.168.1.130:443       192.168.1.3:62389       TIME_WAIT   -
tcp6       0      0 192.168.1.130:8080      192.168.1.3:62589       ESTABLISHED 27044/apache2

Here, however, we can see that we have an SSH connection on port 22 through the SSHD service, which in this example is my own terminal that I use to connect to this server, and something is also connected to the Apache server. And this is because I opened the various web things of this server in a browser. so, for example, these web applications connect to several ports (143, 8080) of the server through the browser. The output of the command run the second time differs from the first one only to the extent that I updated these web parts directly before running the command to increase the number of Apache connections for the sake of the example. So, for example, Drupal9 installed on the server-Is CMS system when updated in the browser, the number of apache2 items in the output of the command increased.

In this example, State column displays three new status values, the meanings of which are as follows:

  • TIME_WAIT: The connection endpoint (socket) waits after the packets on the network are closed.
  • FIN_WAIT2: The connection is closed, but it is still waiting for the remote machine to close it. It is actually waiting for another acknowledgment signal.
  • ESTABLISHED: The connection is established, on which active data traffic is taking place.

Of course, there are more status signals than these, about them on the manual page of the netstat command get information.

List the ports assigned to all services

And if we want to display the waiting (LISTEN) ports and the already connected (ESTABLISHED/TIME_WAIT, etc.) ports at the same time, then use the short -a or the longer one --all switch:

sudo netstat -tunpa
sudo netstat -tunp --all
Search and check for free ports

If we want to search for a free port, we can do so using the following command:

sudo netstat -tunpa | grep <portszám>

If it gives some output, then by definition there is some service on the port, if it does not give output, then the port can be used.

For example, we first look at port 443 (HTTPS) and then a custom port of your choice, such as 57345:

sudo netstat -tunpa | grep 443
sudo netstat -tunpa | grep 57345

Using the netstat command - Search for a free port

Of course, the first command outputted the browser connected via HTTPS with the opened website, while the second command gave no output. therefore, the second queried port number can be used freely.

 

With the help of the netstat command, we can easily display the waiting ports and services that have already been connected, as well as search for unused ports by filtering the results. Of course, several connections are possible on one port.

 

 

ss

Az ss (socket statistics) command is also referred to as the new netstat. Although it lacks some netstat functionality, it publishes more TCP status and is slightly faster. The command options are mostly the same, so switching from netstat to ss is not difficult. To fully use the command root authorization is required. To install it on Debian/Ubuntu systems, run the following command:

sudo apt-get install iproute2
List of listen ports

To list the waiting (listener) ports, run the following command:

sudo ss -tunlp

So the switches here are the same as in the case of netstat:

  • -t: Display only TCP ports (this filters out other protocols that should not be displayed)
  • -you: Display only UDP ports (this filters out other protocols that should not be displayed)
  • on: IP addresses use instead of hostnames.
  • -l: It lists only the "listening" (listen) ports, i.e. those which are monitored by some service (daemon)
  • -p: It also displays the process ID and name of the listening process.

The output is:

Using the ss command - List the listen ports

It might be clearer like this:

Netid                    State                     Recv-Q                    Send-Q                                                           Local Address:Port                                        Peer Address:Port                   
udp                      UNCONN                    0                         0                                                                192.168.1.130:53                                               0.0.0.0:*                       users:(("named",pid=23040,fd=520),("named",pid=23040,fd=519),("named",pid=23040,fd=518))
udp                      UNCONN                    0                         0                                                                    127.0.0.1:53                                               0.0.0.0:*                       users:(("named",pid=23040,fd=517),("named",pid=23040,fd=516),("named",pid=23040,fd=515))
udp                      UNCONN                    0                         0                                                                192.168.1.130:123                                              0.0.0.0:*                       users:(("ntpd",pid=563,fd=19))
udp                      UNCONN                    0                         0                                                                    127.0.0.1:123                                              0.0.0.0:*                       users:(("ntpd",pid=563,fd=18))
udp                      UNCONN                    0                         0                                                                      0.0.0.0:123                                              0.0.0.0:*                       users:(("ntpd",pid=563,fd=17))
udp                      UNCONN                    0                         0                                                                         [::]:53                                                  [::]:*                       users:(("named",pid=23040,fd=514),("named",pid=23040,fd=513),("named",pid=23040,fd=512))
udp                      UNCONN                    0                         0                                            [fe80::a00:27ff:fe4e:950c]%enp0s3:123                                                 [::]:*                       users:(("ntpd",pid=563,fd=24))
udp                      UNCONN                    0                         0                                                                        [::1]:123                                                 [::]:*                       users:(("ntpd",pid=563,fd=20))
udp                      UNCONN                    0                         0                                                                         [::]:123                                                 [::]:*                       users:(("ntpd",pid=563,fd=16))
tcp                      LISTEN                    0                         128                                                                    0.0.0.0:993                                              0.0.0.0:*                       users:(("dovecot",pid=22616,fd=42))
tcp                      LISTEN                    0                         100                                                                    0.0.0.0:995                                              0.0.0.0:*                       users:(("dovecot",pid=22616,fd=23))
tcp                      LISTEN                    0                         128                                                                  127.0.0.1:10023                                            0.0.0.0:*                       users:(("postgrey --pidf",pid=708,fd=5))
tcp                      LISTEN                    0                         128                                                                  127.0.0.1:10024                                            0.0.0.0:*                       users:(("/usr/sbin/amavi",pid=22228,fd=6),("/usr/sbin/amavi",pid=22223,fd=6),("/usr/sbin/amavi",pid=21188,fd=6))
tcp                      LISTEN                    0                         100                                                                  127.0.0.1:10025                                            0.0.0.0:*                       users:(("master",pid=20373,fd=124))
tcp                      LISTEN                    0                         128                                                                  127.0.0.1:10026                                            0.0.0.0:*                       users:(("/usr/sbin/amavi",pid=22228,fd=8),("/usr/sbin/amavi",pid=22223,fd=8),("/usr/sbin/amavi",pid=21188,fd=8))
tcp                      LISTEN                    0                         100                                                                  127.0.0.1:10027                                            0.0.0.0:*                       users:(("master",pid=20373,fd=127))
tcp                      LISTEN                    0                         100                                                                    0.0.0.0:587                                              0.0.0.0:*                       users:(("master",pid=20373,fd=18))
tcp                      LISTEN                    0                         128                                                                  127.0.0.1:11211                                            0.0.0.0:*                       users:(("memcached",pid=500,fd=26))
tcp                      LISTEN                    0                         100                                                                    0.0.0.0:110                                              0.0.0.0:*                       users:(("dovecot",pid=22616,fd=21))
tcp                      LISTEN                    0                         128                                                                    0.0.0.0:143                                              0.0.0.0:*                       users:(("dovecot",pid=22616,fd=40))
tcp                      LISTEN                    0                         100                                                                    0.0.0.0:465                                              0.0.0.0:*                       users:(("master",pid=20373,fd=22))
tcp                      LISTEN                    0                         10                                                               192.168.1.130:53                                               0.0.0.0:*                       users:(("named",pid=23040,fd=23))
tcp                      LISTEN                    0                         10                                                                   127.0.0.1:53                                               0.0.0.0:*                       users:(("named",pid=23040,fd=22))
tcp                      LISTEN                    0                         9                                                                      0.0.0.0:21                                               0.0.0.0:*                       users:(("pure-ftpd-mysql",pid=23009,fd=4))
tcp                      LISTEN                    0                         128                                                                    0.0.0.0:22                                               0.0.0.0:*                       users:(("sshd",pid=580,fd=3))
tcp                      LISTEN                    0                         128                                                                  127.0.0.1:953                                              0.0.0.0:*                       users:(("named",pid=23040,fd=24))
tcp                      LISTEN                    0                         100                                                                    0.0.0.0:25                                               0.0.0.0:*                       users:(("master",pid=20373,fd=13))
tcp                      LISTEN                    0                         128                                                                       [::]:993                                                 [::]:*                       users:(("dovecot",pid=22616,fd=43))
tcp                      LISTEN                    0                         100                                                                       [::]:995                                                 [::]:*                       users:(("dovecot",pid=22616,fd=24))
tcp                      LISTEN                    0                         128                                                                      [::1]:10023                                               [::]:*                       users:(("postgrey --pidf",pid=708,fd=6))
tcp                      LISTEN                    0                         128                                                                      [::1]:10024                                               [::]:*                       users:(("/usr/sbin/amavi",pid=22228,fd=7),("/usr/sbin/amavi",pid=22223,fd=7),("/usr/sbin/amavi",pid=21188,fd=7))
tcp                      LISTEN                    0                         128                                                                      [::1]:10026                                               [::]:*                       users:(("/usr/sbin/amavi",pid=22228,fd=9),("/usr/sbin/amavi",pid=22223,fd=9),("/usr/sbin/amavi",pid=21188,fd=9))
tcp                      LISTEN                    0                         80                                                                           *:3306                                                   *:*                       users:(("mysqld",pid=19462,fd=144))
tcp                      LISTEN                    0                         100                                                                       [::]:587                                                 [::]:*                       users:(("master",pid=20373,fd=19))
tcp                      LISTEN                    0                         100                                                                       [::]:110                                                 [::]:*                       users:(("dovecot",pid=22616,fd=22))
tcp                      LISTEN                    0                         128                                                                       [::]:143                                                 [::]:*                       users:(("dovecot",pid=22616,fd=41))
tcp                      LISTEN                    0                         128                                                                          *:8080                                                   *:*                       users:(("apache2",pid=27780,fd=10),("apache2",pid=27045,fd=10),("apache2",pid=27010,fd=10),("apache2",pid=26893,fd=10),("apache2",pid=26092,fd=10),("apache2",pid=26089,fd=10),("apache2",pid=26088,fd=10),("apache2",pid=26052,fd=10),("apache2",pid=22889,fd=10),("apache2",pid=5822,fd=10),("apache2",pid=4003,fd=10),("apache2",pid=1722,fd=10))
tcp                      LISTEN                    0                         128                                                                          *:80                                                     *:*                       users:(("apache2",pid=27780,fd=4),("apache2",pid=27045,fd=4),("apache2",pid=27010,fd=4),("apache2",pid=26893,fd=4),("apache2",pid=26092,fd=4),("apache2",pid=26089,fd=4),("apache2",pid=26088,fd=4),("apache2",pid=26052,fd=4),("apache2",pid=22889,fd=4),("apache2",pid=5822,fd=4),("apache2",pid=4003,fd=4),("apache2",pid=1722,fd=4))
tcp                      LISTEN                    0                         128                                                                          *:8081                                                   *:*                       users:(("apache2",pid=27780,fd=8),("apache2",pid=27045,fd=8),("apache2",pid=27010,fd=8),("apache2",pid=26893,fd=8),("apache2",pid=26092,fd=8),("apache2",pid=26089,fd=8),("apache2",pid=26088,fd=8),("apache2",pid=26052,fd=8),("apache2",pid=22889,fd=8),("apache2",pid=5822,fd=8),("apache2",pid=4003,fd=8),("apache2",pid=1722,fd=8))
tcp                      LISTEN                    0                         100                                                                       [::]:465                                                 [::]:*                       users:(("master",pid=20373,fd=23))
tcp                      LISTEN                    0                         10                                                                        [::]:53                                                  [::]:*                       users:(("named",pid=23040,fd=21))
tcp                      LISTEN                    0                         9                                                                         [::]:21                                                  [::]:*                       users:(("pure-ftpd-mysql",pid=23009,fd=5))
tcp                      LISTEN                    0                         128                                                                          *:4949                                                   *:*                       users:(("munin-node",pid=663,fd=5))
tcp                      LISTEN                    0                         128                                                                       [::]:22                                                  [::]:*                       users:(("sshd",pid=580,fd=4))
tcp                      LISTEN                    0                         128                                                                      [::1]:953                                                 [::]:*                       users:(("named",pid=23040,fd=25))
tcp                      LISTEN                    0                         100                                                                       [::]:25                                                  [::]:*                       users:(("master",pid=20373,fd=14))
tcp                      LISTEN                    0                         128                                                                          *:443                                                    *:*                       users:(("apache2",pid=27780,fd=6),("apache2",pid=27045,fd=6),("apache2",pid=27010,fd=6),("apache2",pid=26893,fd=6),("apache2",pid=26092,fd=6),("apache2",pid=26089,fd=6),("apache2",pid=26088,fd=6),("apache2",pid=26052,fd=6),("apache2",pid=22889,fd=6),("apache2",pid=5822,fd=6),("apache2",pid=4003,fd=6),("apache2",pid=1722,fd=6))

In essence, the output is almost the same, only here we get a lot of data serialized, and the column displaying the protocol is called Netid.

And if we still want to filter only the "LISTEN" items, then a grep You can do this with the command:

sudo ss -tunlp | grep LISTEN
List of ports in active use

If we are interested in the currently active connections, we can view this with the following command:

sudo ss -tunp

Using the ss command - List active connections

Netid  State  Recv-Q  Send-Q            Local Address:Port             Peer Address:Port
tcp    ESTAB  0       0                 192.168.1.130:22              192.168.1.100:35340   users:(("sshd",pid=10410,fd=3),("sshd",pid=10392,fd=3))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56267   users:(("apache2",pid=10427,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56255   users:(("apache2",pid=21615,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56249   users:(("apache2",pid=10425,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56266   users:(("apache2",pid=11511,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56223   users:(("apache2",pid=10424,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56233   users:(("apache2",pid=10426,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56244   users:(("apache2",pid=21613,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:8080     [::ffff:192.168.1.3]:56275   users:(("apache2",pid=11512,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56232   users:(("apache2",pid=10422,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56240   users:(("apache2",pid=21612,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56230   users:(("apache2",pid=21611,fd=22))
tcp    ESTAB  0       0        [::ffff:192.168.1.130]:443      [::ffff:192.168.1.3]:56231   users:(("apache2",pid=21614,fd=22))

The status "ESTAB" (established) indicates that the connection is active.

Here, too, I updated the website running on the server (port 443) and ISPConfig (port 8080) several times so that more data could be seen.

List the ports assigned to all services

And if we want to display the waiting (LISTEN) ports and the already connected (ESTAB, etc.) ports at the same time, we can also use the short -a or the longer one --all switch:

sudo ss -tunpa
sudo ss -tunp --all
Search and check for free ports

If we want to search for a free port, we can filter by port number in the same way as with the netstat command using the sample below.

sudo ss -tunpa | grep <portszám>

If it gives some output, then the port is busy, if it doesn't give any output, then it can be used freely.

Here too, for example, we first look at port 443 (HTTPS), and then a freely chosen individual port, for example the number 57345:

sudo ss -tunpa | grep 443
sudo ss -tunpa | grep 57345

Using the ss command - Search for a free port

Connections using the HTTPS protocol appeared here as well for the first command, and then the second command gave no output. therefore, the second queried port number can be used freely.

 

The parameters and switches of the ss command, as well as its operation, are very similar to the netstat command, so we can also easily check the status of our network ports.

 

 

lsof

Az lsof is a powerful command-line utility that provides information about files opened by various processes. Since everything in Linux consists of files - including the endpoints of network communications and sockets -, by examining the open files we can also obtain information about the status of the ports on these endpoints.

There are usually a lot of files open in the system at the same time, which are used by some device or service, so this list of files does not only include files belonging to the ports we want to monitor, so the output of the lsof command usually needs to be filtered in order to narrow it down to the desired target group.
List of listen ports

To list the waiting (listener) ports, run the following lsof command:

sudo lsof -nPi | grep -E "COMMAND|LISTEN|UDP|TCP"

Where the meanings of switches and filter words are as follows:

  • on: Use IP addresses instead of hostnames.
  • -P: Displays port numbers instead of port names.
  • -Yo: This switch has several functions, mostly it can be used for filtering. In this case, if there is nothing behind it, it only displays IPv4 or IPv6, i.e. network connections.
  • grip: The output is filtered to the desired target group, the parameters of which are:
    • -E: extended regexp, i.e. use of extended regular expressions. With its help, special characters do not need to be escaped (\). It's the switch gooseberry can also be used as a synonym for command.
    • Filter words: We filter for rows containing any of the following words (logical OR relationship):
      • command: We include this only so that the header row is also displayed, so that the resulting output can be more clearly understood.
      • LISTEN: Filtering of files related to listening and listening ports.
      • UDP: For files connected to UDP type sockets, it is displayed in place of the node ID of the file, so we can easily filter for it.
      • TCP: For files connected to TCP type sockets, it is displayed in place of the node ID of the file, so we can easily filter for it.

And the output is:

Using the lsof command - Listing listen ports

COMMAND     PID        USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
memcached   500    memcache   26u  IPv4   17426      0t0  TCP 127.0.0.1:11211 (LISTEN)
sshd        580        root    3u  IPv4   17445      0t0  TCP *:22 (LISTEN)
sshd        580        root    4u  IPv6   17447      0t0  TCP *:22 (LISTEN)
munin-nod   663        root    5u  IPv6   17717      0t0  TCP *:4949 (LISTEN)
postgrey    708    postgrey    5u  IPv4   20176      0t0  TCP 127.0.0.1:10023 (LISTEN)
postgrey    708    postgrey    6u  IPv6   20177      0t0  TCP [::1]:10023 (LISTEN)
sshd      10392        root    3u  IPv4 3636818      0t0  TCP 192.168.1.130:22->192.168.1.100:35340 (ESTABLISHED)
sshd      10410 linuxportal    3u  IPv4 3636818      0t0  TCP 192.168.1.130:22->192.168.1.100:35340 (ESTABLISHED)
apache2   10422    www-data    4u  IPv6  146489      0t0  TCP *:80 (LISTEN)
apache2   10422    www-data    6u  IPv6  146493      0t0  TCP *:443 (LISTEN)
apache2   10422    www-data    8u  IPv6  146497      0t0  TCP *:8081 (LISTEN)
apache2   10422    www-data   10u  IPv6  146505      0t0  TCP *:8080 (LISTEN)
apache2   10426    www-data    4u  IPv6  146489      0t0  TCP *:80 (LISTEN)
apache2   10426    www-data    6u  IPv6  146493      0t0  TCP *:443 (LISTEN)
apache2   10426    www-data    8u  IPv6  146497      0t0  TCP *:8081 (LISTEN)
[...]

Here, this results in a longer list on this server, so only the beginning is visible.

Meaning of the columns of the resulting output:

  • command: The process or service handling the open file.
  • PID: The ID of the process
  • USER: Owner of the file
  • FDs: Unique identifiers of the files (File Descriptor). This is a positive integer for normal files, and its abbreviation for other resource files. See command for details manual page.
  • TYPE: The type of node associated with the file. This can be a variety of things, for example a normal file, a directory, a block device, or the end point (socket) of a network connection, in which case IPv4 or IPv6 is displayed, depending on what network the computer is connected to.
  • DEVICE: Device identifiers. Multiple values ​​are separated by commas.
  • SIZE/OFF: File size in bytes. For special resource files, "0t0" is displayed.
  • NODE: The node identifiers of the files. For normal files, this is a positive integer, and for special resource files, it is the type of protocol, such as TCP.
  • NAME: For normal files, the path of the file is displayed, and for special resource files, the data specific to the given resource is displayed. In the case of socket files, network data such as host name or IP address, network port number and connection status (e.g. LISTEN, ESTABLISHED, etc.)

In this list we can see a lot of things, including a couple of lines marked ESTABLISHED, which the -v with a switch, we can filter them out of the output if we don't want to see them:

sudo lsof -nPi | grep -E "COMMAND|LISTEN|UDP|TCP" | grep -v "ESTABLISHED"

As you can see at the beginning of the list, there are also files related to ports 22, 80, 443, 8080, etc. Of course, there are other services further down, only here "apache2" fills the lines in the name list. This many apache2 lines a PHP-FPM is due to its process management: Apache waits for incoming requests on so many threads, as a result of which new web connections are established faster, so that the requested web pages are loaded in the clients' browsers sooner.

List of ports in active use

The currently active port connections can be viewed with the following command:

sudo lsof -nPi | grep -E "COMMAND|ESTABLISHED"

Here we have to filter for the word "ESTABLISHED", and of course to keep the header row we can also enter the word "COMMAND". And the output is:

Using the lsof command - List active ports

COMMAND     PID        USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
apache2    1837    www-data   22u  IPv6 5607954      0t0  TCP 192.168.1.130:8080->192.168.1.3:55034 (ESTABLISHED)
apache2    7741    www-data   22u  IPv6 5609490      0t0  TCP 192.168.1.130:443->192.168.1.3:54994 (ESTABLISHED)
sshd      23504        root    3u  IPv4 5600073      0t0  TCP 192.168.1.130:22->192.168.1.100:43354 (ESTABLISHED)
sshd      23510 linuxportal    3u  IPv4 5600073      0t0  TCP 192.168.1.130:22->192.168.1.100:43354 (ESTABLISHED)
apache2   24380    www-data   22u  IPv6 5609486      0t0  TCP 192.168.1.130:443->192.168.1.3:54990 (ESTABLISHED)
apache2   24387    www-data   22u  IPv6 5607306      0t0  TCP 192.168.1.130:443->192.168.1.3:55011 (ESTABLISHED)
sshd      27429        root    3u  IPv4 5333070      0t0  TCP 192.168.1.130:22->192.168.1.100:38116 (ESTABLISHED)
sshd      27447 linuxportal    3u  IPv4 5333070      0t0  TCP 192.168.1.130:22->192.168.1.100:38116 (ESTABLISHED)

Here you can also see the active connections of the sshd and web server ports.

List the ports assigned to all services

If we want to list all the waiting or listening (LISTEN) ports and the active ports at the same time, then either we leave the filter from the previous command, or we expand it so that all states are included:

sudo lsof -nPi
sudo lsof -nPi | grep -E "COMMAND|LISTEN|ESTABLISHED|UDP|TCP"
Search and check for free ports

If you want to search for a free port, use the lsof command -i we can do it with parameter:

sudo lsof -nPi:<portszám>

Here, the letter "i" is immediately followed by a colon, followed immediately by the port number, so there can be no spaces between them!

If it gives some output, then the port is busy, if it doesn't give any output, then it can be used freely.

Here too, sticking to the previous example, we look at the two ports, numbers 443 and 57345:

sudo lsof -nPi:443
sudo lsof -nPi:57345

Using the lsof command - Search and check for free ports

COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2  1795 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2  1837 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2  1865 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2  7648 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2  7746 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 22889     root    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 24380 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 24384 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 24386 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 24387 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 24388 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)
apache2 24390 www-data    6u  IPv6 146493      0t0  TCP *:443 (LISTEN)

 

 

Port scan commands for checking ports from the outside

When checking ports from the outside, we perform a port scan on the computer to be checked to find out which ports are open, which services monitor these ports, etc. Port scanning is usually performed by system administrators to check the security of their servers, but unfortunately, it is also often used by malicious attackers to map the weak points of a selected target computer.

Since this topic - due to its complexity - goes beyond the scope of this description, it will be discussed in more detail another specification we can find out about, here we only tangentially mention some useful commands with which we can check our network ports.

Nmap

Az Nmap command (Network Mapper) is a tool for efficient network discovery and security monitoring. It can also be run as a normal user, but many of its functions can only be used with root privileges, so the following parts here root execute with privileges.

To install it on Debian/Ubuntu systems, run the following command:

sudo apt-get install nmap

With the command, we can easily scan the better-known TCP and UDP ports on our own or remote computers:

nmap <hosztnév vagy IP-cím>
nmap -sT <hosztnév vagy IP-cím>
nmap -sU <hosztnév vagy IP-cím>
nmap -sTU <hosztnév vagy IP-cím>

The first and second commands scan TCP ports (the first one scans TCP ports by default even without a switch), while the third one scans UDP ports. This takes much longer due to the operation of the UDP protocol. The fourth command monitors ports using both protocols. With the help of z nmap, we can check our ports "from the outside".

nc/ncat

Az nc/ncat (Netcat) is a command-line utility that writes and reads data over network connections using the TCP or UDP protocol. It is one of the most effective tools in the system administrator's arsenal, which is why it is often referred to as the Swiss Army Knife of network tools. Netcat is cross-platform, so it is available on several operating systems such as Linux, macOS, Windows, and BSD. Netcat can be used to debug and monitor network connections, search for open ports, transfer data, etc.

The program is already pre-installed in most distributions, but if by chance it is not on your computer, install it with the following command:

sudo apt-get install ncat

The basic syntax of the netcat utility is as follows:

nc [opciók] hoszt port

The command can be used to query ports on remote computers to determine whether they are open or not, using the following syntax:

nc -vz <hosztnév vagy IP-cím> <TCP portszám>
nc -vzu <hosztnév vagy IP-cím> <UDP portszám>

Examples:

nc -vz debian10.linuxportal.vm 80
nc -vzu debian10.linuxportal.vm 53

Checking network ports with the netcat program

The first command can be used to check a TCP port, while the second one can check a UDP port.

There are several implementations of Netcat that work differently. That's about it Basic port scanning description Second page get information.

 

A more detailed description prepared on the topic of port scanning - closely related to this - can be found here:

 

 

Conclusion

As you can see, there are several options for checking the network ports of our computer or server. We can check ports "in-house" with various commands, but we can also perform port scanning externally to make sure our system is secure.