Content
Introductory
One Linux several services can work on an operating system, especially on a more complex web server installation. These services communicate through different TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) ports on the network interface. A listening port is a network port on which an application or process listens and acts as a communication endpoint.
Checking ports is an important task from several points of view. On the one hand, for the sake of security, we must monitor the open ports and the communication on them, most of which can be checked by reviewing the log files generated by the various services, but we can even check the ports directly to see if communication is taking place on them and if it is within the framework of normal operation is happening or someone is currently attacking our server. On the other hand, we can also reduce the number of error possibilities that result from several similar services using the same port. In this case, one of the services must be individually converted so that it does not use the same port. Furthermore, taking security into account, we can also search for free unique ports for specific services for the purpose of prevention, so that they do not use the default - at the same time known - ports, thereby reducing the number of attack attempts.
For whatever reason the ports are checked and checked, in this description we will review some commands and methods that can be used to check their operation effectively.
Overview of Ports
First, let's take a look at the numbering of the ports to better understand their structure.
Port numbers and ranges
The number of ports can be an integer in the range 0 to 65535, which range is divided into three main parts:
- 0-1023:
The more well-known ports that are assigned to some service, and the system controls these ports.
Therefore, we cannot use our own unique ports in this range. More on these below... - 1024-49151:
Registered ports. Ports in this range are not assigned or controlled, but can be registered to avoid duplication.
You can use your own unique ports in this range, but always make sure that no service is running on that port. - 49152-65535:
Dynamic ports. Ports in this range are not assigned, controlled, or registered. Used for temporary or private ports. These are also known as private or non-reserved ports. Clients choose temporary port numbers from this range, but not all systems allow this.
We can also choose a port number from this range, but let's also make sure that nothing below it works.
Well-known ports and services
Here are some common services from the lower (0-1023) address range and their default port numbers (non-exhaustive):
- 20/21 (TCP): FTP
- 22 (TCP): SSH
- 23 (TCP): telnet
- 25 (TCP/UDP): SMTP
- 53 (TCP/UDP): DNS
- 67/68 (UDP): DHCP
- 69 (UDP): Tftp
- 80 (TCP): HTTP
- 110 (TCP): POP3
- 123 (UDP): NTP
- 137/138/139 (TCP/UDP): NetBIOS
- 143 (TCP): IMAP (without SSL/TLS or STARTTLS)
- 161/162 (TCP/UDP): SNMP
- 179 (TCP): BGP
- 389 (TCP/UDP): LDAP
- 443 (TCP): HTTPS
- 465 (TCP/UDP): SMTP (TLS)
- 587 (TCP/UDP): SMTP (TLS)
- 636 (TCP/UDP): LDAPS
- 989/990 (TCP): FTPS
- 993 (TCP): IMAPS (IMAP using SSL/TLS)
See the full list at / etc / services file can be viewed:
cat /etc/services
The file contains the services that, if installed, will listen to incoming data packets on the specified port number.
Commands for checking ports
There are several commands for checking network ports, and these commands can also be classified into two types of use (internal or external use). In this section, we will look at some examples of these.
The following examples are one Debian 10 (Buster) Perfect Server 1.0 after installation, that is On version 1.1 I will implement it, since there are already enough services on this server to demonstrate the control and examination of the ports with them.
Commands for checking ports internally
The commands for checking from within are run from the server itself and are used to check the services and ports running on the server, i.e. "own".
Let's see the commands that can be used for this purpose!
netstat
A netstat command to display network connections and interface statistics. For full use root authorization is required. To install it on Debian/Ubuntu systems, run the following command:
sudo apt-get install net-tools
List of listen ports
To list the waiting (listener) ports, run the following command:
sudo netstat -tunlp
Where the meanings of the switches are as follows:
- -t: Show TCP ports
- -you: Show UDP ports
- on: IP addresses use instead of hostnames.
- -l: It lists only the "listening" (listen) ports, i.e. those which are monitored by some service (daemon)
- -p: It also displays the process ID and name of the listening process.
And the output is:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 22616/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 22616/dovecot tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 708/postgrey --pidf tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 21188/amavisd-new ( tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 20373/master tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 21188/amavisd-new ( tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 20373/master tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 20373/master tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 500/memcached tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 22616/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 22616/dovecot [...]
Meaning of the columns of the resulting output:
- Therefore: The type of protocol used (tcp, udp, udpl or raw). "tcp6" is the data for IPv6 addresses.
- Recv-Q: If there is a non-zero value here, it means that the data is still in the TCP/IP receive buffer, but has not yet been written to the application buffer.
- Send-Q: Same as above, only from the sending side: data has been placed in the TCP/IP send buffer but not yet sent, or sent but not yet acknowledged. If there is a high value here, it may be caused by, for example, network congestion or server performance, etc.
- Local Address: The IP address and port number of the local endpoint of the data transfer. If not specified a -n switch, then the command resolves the IP address and displays the hostname instead, which is "localhost" on the local endpoint.
- Foreign Address: The IP address and port number of the remote endpoint of the data transfer. If not specified a -n switch, then the command resolves the IP address of the machine sending or receiving data remotely, and instead displays the hostname to which the DNS you get it thanks to the service.
"0.0.0.0:*" in the current example means that the system is waiting for connections from any IP address and (remote) port. - State: Condition. The "LISTEN" signal means that the system is waiting for incoming new connections on the specified ports, which appear because the -l or the -a we ran the command with a switch.
- PID/Program name: Display the process ID (PID) and name of the process that owns the connection, which is the -p is output to the command as a result of the switch. The display of this information requires root privileges, especially if there are also processes running that are not owned by the user running the netstat command.
With this example, we can display the ports where our server is waiting for incoming connections. We can see here, for example, IMAPS (IMAP over SSL) service by the Dovecot mail server on ports 993 and 995, and the traditional (not SSL/TLS encrypted) version on ports 110 and 143, MySQL server on port 3306, Apache2 web server at 80 (HTTP), 8080 (ISPConfig access) and 443 (HTTPS) ports, and quite a few other services, which are all waiting for connections from remote clients.
List of ports in active use
But what if we want to see which services something is currently connected to? The following example serves for this:
sudo netstat -tunp
We simply took out the -l switch. And the output is:
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:143 127.0.0.1:50548 TIME_WAIT - tcp 0 0 192.168.1.130:22 192.168.1.100:41616 ESTABLISHED 9269/sshd: linuxpor tcp 0 0 127.0.0.1:50548 127.0.0.1:143 TIME_WAIT - tcp6 0 0 192.168.1.130:8080 192.168.1.3:62302 TIME_WAIT - tcp6 0 0 192.168.1.130:443 192.168.1.3:62543 TIME_WAIT - tcp6 0 0 192.168.1.130:8080 192.168.1.3:62390 TIME_WAIT - tcp6 0 0 192.168.1.130:443 192.168.1.3:62544 TIME_WAIT - tcp6 0 0 192.168.1.130:443 192.168.1.3:62542 TIME_WAIT - tcp6 0 0 192.168.1.130:443 192.168.1.3:62389 TIME_WAIT - tcp6 0 0 192.168.1.130:8080 192.168.1.3:62589 ESTABLISHED 27044/apache2
Here, however, we can see that we have an SSH connection on port 22 through the SSHD service, which in this example is my own terminal that I use to connect to this server, and something is also connected to the Apache server. And this is because I opened the various web things of this server in a browser. so, for example, these web applications connect to several ports (143, 8080) of the server through the browser. The output of the command run the second time differs from the first one only to the extent that I updated these web parts directly before running the command to increase the number of Apache connections for the sake of the example. So, for example, Drupal9 installed on the server-Is CMS system when updated in the browser, the number of apache2 items in the output of the command increased.
In this example, State column displays three new status values, the meanings of which are as follows:
- TIME_WAIT: The connection endpoint (socket) waits after the packets on the network are closed.
- FIN_WAIT2: The connection is closed, but it is still waiting for the remote machine to close it. It is actually waiting for another acknowledgment signal.
- ESTABLISHED: The connection is established, on which active data traffic is taking place.
Of course, there are more status signals than these, about them on the manual page of the netstat command get information.
List the ports assigned to all services
And if we want to display the waiting (LISTEN) ports and the already connected (ESTABLISHED/TIME_WAIT, etc.) ports at the same time, then use the short -a or the longer one --all switch:
sudo netstat -tunpa
sudo netstat -tunp --all
Search and check for free ports
If we want to search for a free port, we can do so using the following command:
sudo netstat -tunpa | grep <portszám>
If it gives some output, then by definition there is some service on the port, if it does not give output, then the port can be used.
For example, we first look at port 443 (HTTPS) and then a custom port of your choice, such as 57345:
sudo netstat -tunpa | grep 443
sudo netstat -tunpa | grep 57345
Of course, the first command outputted the browser connected via HTTPS with the opened website, while the second command gave no output. therefore, the second queried port number can be used freely.
With the help of the netstat command, we can easily display the waiting ports and services that have already been connected, as well as search for unused ports by filtering the results. Of course, several connections are possible on one port.
ss
Az ss (socket statistics) command is also referred to as the new netstat. Although it lacks some netstat functionality, it publishes more TCP status and is slightly faster. The command options are mostly the same, so switching from netstat to ss is not difficult. To fully use the command root authorization is required. To install it on Debian/Ubuntu systems, run the following command:
sudo apt-get install iproute2
List of listen ports
To list the waiting (listener) ports, run the following command:
sudo ss -tunlp
So the switches here are the same as in the case of netstat:
- -t: Display only TCP ports (this filters out other protocols that should not be displayed)
- -you: Display only UDP ports (this filters out other protocols that should not be displayed)
- on: IP addresses use instead of hostnames.
- -l: It lists only the "listening" (listen) ports, i.e. those which are monitored by some service (daemon)
- -p: It also displays the process ID and name of the listening process.
The output is:
It might be clearer like this:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 192.168.1.130:53 0.0.0.0:* users:(("named",pid=23040,fd=520),("named",pid=23040,fd=519),("named",pid=23040,fd=518)) udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("named",pid=23040,fd=517),("named",pid=23040,fd=516),("named",pid=23040,fd=515)) udp UNCONN 0 0 192.168.1.130:123 0.0.0.0:* users:(("ntpd",pid=563,fd=19)) udp UNCONN 0 0 127.0.0.1:123 0.0.0.0:* users:(("ntpd",pid=563,fd=18)) udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* users:(("ntpd",pid=563,fd=17)) udp UNCONN 0 0 [::]:53 [::]:* users:(("named",pid=23040,fd=514),("named",pid=23040,fd=513),("named",pid=23040,fd=512)) udp UNCONN 0 0 [fe80::a00:27ff:fe4e:950c]%enp0s3:123 [::]:* users:(("ntpd",pid=563,fd=24)) udp UNCONN 0 0 [::1]:123 [::]:* users:(("ntpd",pid=563,fd=20)) udp UNCONN 0 0 [::]:123 [::]:* users:(("ntpd",pid=563,fd=16)) tcp LISTEN 0 128 0.0.0.0:993 0.0.0.0:* users:(("dovecot",pid=22616,fd=42)) tcp LISTEN 0 100 0.0.0.0:995 0.0.0.0:* users:(("dovecot",pid=22616,fd=23)) tcp LISTEN 0 128 127.0.0.1:10023 0.0.0.0:* users:(("postgrey --pidf",pid=708,fd=5)) tcp LISTEN 0 128 127.0.0.1:10024 0.0.0.0:* users:(("/usr/sbin/amavi",pid=22228,fd=6),("/usr/sbin/amavi",pid=22223,fd=6),("/usr/sbin/amavi",pid=21188,fd=6)) tcp LISTEN 0 100 127.0.0.1:10025 0.0.0.0:* users:(("master",pid=20373,fd=124)) tcp LISTEN 0 128 127.0.0.1:10026 0.0.0.0:* users:(("/usr/sbin/amavi",pid=22228,fd=8),("/usr/sbin/amavi",pid=22223,fd=8),("/usr/sbin/amavi",pid=21188,fd=8)) tcp LISTEN 0 100 127.0.0.1:10027 0.0.0.0:* users:(("master",pid=20373,fd=127)) tcp LISTEN 0 100 0.0.0.0:587 0.0.0.0:* users:(("master",pid=20373,fd=18)) tcp LISTEN 0 128 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=500,fd=26)) tcp LISTEN 0 100 0.0.0.0:110 0.0.0.0:* users:(("dovecot",pid=22616,fd=21)) tcp LISTEN 0 128 0.0.0.0:143 0.0.0.0:* users:(("dovecot",pid=22616,fd=40)) tcp LISTEN 0 100 0.0.0.0:465 0.0.0.0:* users:(("master",pid=20373,fd=22)) tcp LISTEN 0 10 192.168.1.130:53 0.0.0.0:* users:(("named",pid=23040,fd=23)) tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=23040,fd=22)) tcp LISTEN 0 9 0.0.0.0:21 0.0.0.0:* users:(("pure-ftpd-mysql",pid=23009,fd=4)) tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=580,fd=3)) tcp LISTEN 0 128 127.0.0.1:953 0.0.0.0:* users:(("named",pid=23040,fd=24)) tcp LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=20373,fd=13)) tcp LISTEN 0 128 [::]:993 [::]:* users:(("dovecot",pid=22616,fd=43)) tcp LISTEN 0 100 [::]:995 [::]:* users:(("dovecot",pid=22616,fd=24)) tcp LISTEN 0 128 [::1]:10023 [::]:* users:(("postgrey --pidf",pid=708,fd=6)) tcp LISTEN 0 128 [::1]:10024 [::]:* users:(("/usr/sbin/amavi",pid=22228,fd=7),("/usr/sbin/amavi",pid=22223,fd=7),("/usr/sbin/amavi",pid=21188,fd=7)) tcp LISTEN 0 128 [::1]:10026 [::]:* users:(("/usr/sbin/amavi",pid=22228,fd=9),("/usr/sbin/amavi",pid=22223,fd=9),("/usr/sbin/amavi",pid=21188,fd=9)) tcp LISTEN 0 80 *:3306 *:* users:(("mysqld",pid=19462,fd=144)) tcp LISTEN 0 100 [::]:587 [::]:* users:(("master",pid=20373,fd=19)) tcp LISTEN 0 100 [::]:110 [::]:* users:(("dovecot",pid=22616,fd=22)) tcp LISTEN 0 128 [::]:143 [::]:* users:(("dovecot",pid=22616,fd=41)) tcp LISTEN 0 128 *:8080 *:* users:(("apache2",pid=27780,fd=10),("apache2",pid=27045,fd=10),("apache2",pid=27010,fd=10),("apache2",pid=26893,fd=10),("apache2",pid=26092,fd=10),("apache2",pid=26089,fd=10),("apache2",pid=26088,fd=10),("apache2",pid=26052,fd=10),("apache2",pid=22889,fd=10),("apache2",pid=5822,fd=10),("apache2",pid=4003,fd=10),("apache2",pid=1722,fd=10)) tcp LISTEN 0 128 *:80 *:* users:(("apache2",pid=27780,fd=4),("apache2",pid=27045,fd=4),("apache2",pid=27010,fd=4),("apache2",pid=26893,fd=4),("apache2",pid=26092,fd=4),("apache2",pid=26089,fd=4),("apache2",pid=26088,fd=4),("apache2",pid=26052,fd=4),("apache2",pid=22889,fd=4),("apache2",pid=5822,fd=4),("apache2",pid=4003,fd=4),("apache2",pid=1722,fd=4)) tcp LISTEN 0 128 *:8081 *:* users:(("apache2",pid=27780,fd=8),("apache2",pid=27045,fd=8),("apache2",pid=27010,fd=8),("apache2",pid=26893,fd=8),("apache2",pid=26092,fd=8),("apache2",pid=26089,fd=8),("apache2",pid=26088,fd=8),("apache2",pid=26052,fd=8),("apache2",pid=22889,fd=8),("apache2",pid=5822,fd=8),("apache2",pid=4003,fd=8),("apache2",pid=1722,fd=8)) tcp LISTEN 0 100 [::]:465 [::]:* users:(("master",pid=20373,fd=23)) tcp LISTEN 0 10 [::]:53 [::]:* users:(("named",pid=23040,fd=21)) tcp LISTEN 0 9 [::]:21 [::]:* users:(("pure-ftpd-mysql",pid=23009,fd=5)) tcp LISTEN 0 128 *:4949 *:* users:(("munin-node",pid=663,fd=5)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=580,fd=4)) tcp LISTEN 0 128 [::1]:953 [::]:* users:(("named",pid=23040,fd=25)) tcp LISTEN 0 100 [::]:25 [::]:* users:(("master",pid=20373,fd=14)) tcp LISTEN 0 128 *:443 *:* users:(("apache2",pid=27780,fd=6),("apache2",pid=27045,fd=6),("apache2",pid=27010,fd=6),("apache2",pid=26893,fd=6),("apache2",pid=26092,fd=6),("apache2",pid=26089,fd=6),("apache2",pid=26088,fd=6),("apache2",pid=26052,fd=6),("apache2",pid=22889,fd=6),("apache2",pid=5822,fd=6),("apache2",pid=4003,fd=6),("apache2",pid=1722,fd=6))
In essence, the output is almost the same, only here we get a lot of data serialized, and the column displaying the protocol is called Netid.
And if we still want to filter only the "LISTEN" items, then a grep You can do this with the command:
sudo ss -tunlp | grep LISTEN
List of ports in active use
If we are interested in the currently active connections, we can view this with the following command:
sudo ss -tunp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 192.168.1.130:22 192.168.1.100:35340 users:(("sshd",pid=10410,fd=3),("sshd",pid=10392,fd=3)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56267 users:(("apache2",pid=10427,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56255 users:(("apache2",pid=21615,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56249 users:(("apache2",pid=10425,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56266 users:(("apache2",pid=11511,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56223 users:(("apache2",pid=10424,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56233 users:(("apache2",pid=10426,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56244 users:(("apache2",pid=21613,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:8080 [::ffff:192.168.1.3]:56275 users:(("apache2",pid=11512,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56232 users:(("apache2",pid=10422,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56240 users:(("apache2",pid=21612,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56230 users:(("apache2",pid=21611,fd=22)) tcp ESTAB 0 0 [::ffff:192.168.1.130]:443 [::ffff:192.168.1.3]:56231 users:(("apache2",pid=21614,fd=22))
The status "ESTAB" (established) indicates that the connection is active.
Here, too, I updated the website running on the server (port 443) and ISPConfig (port 8080) several times so that more data could be seen.
List the ports assigned to all services
And if we want to display the waiting (LISTEN) ports and the already connected (ESTAB, etc.) ports at the same time, we can also use the short -a or the longer one --all switch:
sudo ss -tunpa
sudo ss -tunp --all
Search and check for free ports
If we want to search for a free port, we can filter by port number in the same way as with the netstat command using the sample below.
sudo ss -tunpa | grep <portszám>
If it gives some output, then the port is busy, if it doesn't give any output, then it can be used freely.
Here too, for example, we first look at port 443 (HTTPS), and then a freely chosen individual port, for example the number 57345:
sudo ss -tunpa | grep 443
sudo ss -tunpa | grep 57345
Connections using the HTTPS protocol appeared here as well for the first command, and then the second command gave no output. therefore, the second queried port number can be used freely.
The parameters and switches of the ss command, as well as its operation, are very similar to the netstat command, so we can also easily check the status of our network ports.
lsof
Az lsof is a powerful command-line utility that provides information about files opened by various processes. Since everything in Linux consists of files - including the endpoints of network communications and sockets -, by examining the open files we can also obtain information about the status of the ports on these endpoints.
List of listen ports
To list the waiting (listener) ports, run the following lsof command:
sudo lsof -nPi | grep -E "COMMAND|LISTEN|UDP|TCP"
Where the meanings of switches and filter words are as follows:
- on: Use IP addresses instead of hostnames.
- -P: Displays port numbers instead of port names.
- -Yo: This switch has several functions, mostly it can be used for filtering. In this case, if there is nothing behind it, it only displays IPv4 or IPv6, i.e. network connections.
- grip: The output is filtered to the desired target group, the parameters of which are:
- -E: extended regexp, i.e. use of extended regular expressions. With its help, special characters do not need to be escaped (\). It's the switch gooseberry can also be used as a synonym for command.
- Filter words: We filter for rows containing any of the following words (logical OR relationship):
- command: We include this only so that the header row is also displayed, so that the resulting output can be more clearly understood.
- LISTEN: Filtering of files related to listening and listening ports.
- UDP: For files connected to UDP type sockets, it is displayed in place of the node ID of the file, so we can easily filter for it.
- TCP: For files connected to TCP type sockets, it is displayed in place of the node ID of the file, so we can easily filter for it.
And the output is:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME memcached 500 memcache 26u IPv4 17426 0t0 TCP 127.0.0.1:11211 (LISTEN) sshd 580 root 3u IPv4 17445 0t0 TCP *:22 (LISTEN) sshd 580 root 4u IPv6 17447 0t0 TCP *:22 (LISTEN) munin-nod 663 root 5u IPv6 17717 0t0 TCP *:4949 (LISTEN) postgrey 708 postgrey 5u IPv4 20176 0t0 TCP 127.0.0.1:10023 (LISTEN) postgrey 708 postgrey 6u IPv6 20177 0t0 TCP [::1]:10023 (LISTEN) sshd 10392 root 3u IPv4 3636818 0t0 TCP 192.168.1.130:22->192.168.1.100:35340 (ESTABLISHED) sshd 10410 linuxportal 3u IPv4 3636818 0t0 TCP 192.168.1.130:22->192.168.1.100:35340 (ESTABLISHED) apache2 10422 www-data 4u IPv6 146489 0t0 TCP *:80 (LISTEN) apache2 10422 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 10422 www-data 8u IPv6 146497 0t0 TCP *:8081 (LISTEN) apache2 10422 www-data 10u IPv6 146505 0t0 TCP *:8080 (LISTEN) apache2 10426 www-data 4u IPv6 146489 0t0 TCP *:80 (LISTEN) apache2 10426 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 10426 www-data 8u IPv6 146497 0t0 TCP *:8081 (LISTEN) [...]
Here, this results in a longer list on this server, so only the beginning is visible.
Meaning of the columns of the resulting output:
- command: The process or service handling the open file.
- PID: The ID of the process
- USER: Owner of the file
- FDs: Unique identifiers of the files (File Descriptor). This is a positive integer for normal files, and its abbreviation for other resource files. See command for details manual page.
- TYPE: The type of node associated with the file. This can be a variety of things, for example a normal file, a directory, a block device, or the end point (socket) of a network connection, in which case IPv4 or IPv6 is displayed, depending on what network the computer is connected to.
- DEVICE: Device identifiers. Multiple values are separated by commas.
- SIZE/OFF: File size in bytes. For special resource files, "0t0" is displayed.
- NODE: The node identifiers of the files. For normal files, this is a positive integer, and for special resource files, it is the type of protocol, such as TCP.
- NAME: For normal files, the path of the file is displayed, and for special resource files, the data specific to the given resource is displayed. In the case of socket files, network data such as host name or IP address, network port number and connection status (e.g. LISTEN, ESTABLISHED, etc.)
In this list we can see a lot of things, including a couple of lines marked ESTABLISHED, which the -v with a switch, we can filter them out of the output if we don't want to see them:
sudo lsof -nPi | grep -E "COMMAND|LISTEN|UDP|TCP" | grep -v "ESTABLISHED"
As you can see at the beginning of the list, there are also files related to ports 22, 80, 443, 8080, etc. Of course, there are other services further down, only here "apache2" fills the lines in the name list. This many apache2 lines a PHP-FPM is due to its process management: Apache waits for incoming requests on so many threads, as a result of which new web connections are established faster, so that the requested web pages are loaded in the clients' browsers sooner.
List of ports in active use
The currently active port connections can be viewed with the following command:
sudo lsof -nPi | grep -E "COMMAND|ESTABLISHED"
Here we have to filter for the word "ESTABLISHED", and of course to keep the header row we can also enter the word "COMMAND". And the output is:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME apache2 1837 www-data 22u IPv6 5607954 0t0 TCP 192.168.1.130:8080->192.168.1.3:55034 (ESTABLISHED) apache2 7741 www-data 22u IPv6 5609490 0t0 TCP 192.168.1.130:443->192.168.1.3:54994 (ESTABLISHED) sshd 23504 root 3u IPv4 5600073 0t0 TCP 192.168.1.130:22->192.168.1.100:43354 (ESTABLISHED) sshd 23510 linuxportal 3u IPv4 5600073 0t0 TCP 192.168.1.130:22->192.168.1.100:43354 (ESTABLISHED) apache2 24380 www-data 22u IPv6 5609486 0t0 TCP 192.168.1.130:443->192.168.1.3:54990 (ESTABLISHED) apache2 24387 www-data 22u IPv6 5607306 0t0 TCP 192.168.1.130:443->192.168.1.3:55011 (ESTABLISHED) sshd 27429 root 3u IPv4 5333070 0t0 TCP 192.168.1.130:22->192.168.1.100:38116 (ESTABLISHED) sshd 27447 linuxportal 3u IPv4 5333070 0t0 TCP 192.168.1.130:22->192.168.1.100:38116 (ESTABLISHED)
Here you can also see the active connections of the sshd and web server ports.
List the ports assigned to all services
If we want to list all the waiting or listening (LISTEN) ports and the active ports at the same time, then either we leave the filter from the previous command, or we expand it so that all states are included:
sudo lsof -nPi
sudo lsof -nPi | grep -E "COMMAND|LISTEN|ESTABLISHED|UDP|TCP"
Search and check for free ports
If you want to search for a free port, use the lsof command -i we can do it with parameter:
sudo lsof -nPi:<portszám>
Here, the letter "i" is immediately followed by a colon, followed immediately by the port number, so there can be no spaces between them!
If it gives some output, then the port is busy, if it doesn't give any output, then it can be used freely.
Here too, sticking to the previous example, we look at the two ports, numbers 443 and 57345:
sudo lsof -nPi:443
sudo lsof -nPi:57345
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME apache2 1795 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 1837 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 1865 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 7648 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 7746 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 22889 root 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 24380 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 24384 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 24386 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 24387 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 24388 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN) apache2 24390 www-data 6u IPv6 146493 0t0 TCP *:443 (LISTEN)
Port scan commands for checking ports from the outside
When checking ports from the outside, we perform a port scan on the computer to be checked to find out which ports are open, which services monitor these ports, etc. Port scanning is usually performed by system administrators to check the security of their servers, but unfortunately, it is also often used by malicious attackers to map the weak points of a selected target computer.
Nmap
Az Nmap command (Network Mapper) is a tool for efficient network discovery and security monitoring. It can also be run as a normal user, but many of its functions can only be used with root privileges, so the following parts here root execute with privileges.
To install it on Debian/Ubuntu systems, run the following command:
sudo apt-get install nmap
With the command, we can easily scan the better-known TCP and UDP ports on our own or remote computers:
nmap <hosztnév vagy IP-cím>
nmap -sT <hosztnév vagy IP-cím>
nmap -sU <hosztnév vagy IP-cím>
nmap -sTU <hosztnév vagy IP-cím>
The first and second commands scan TCP ports (the first one scans TCP ports by default even without a switch), while the third one scans UDP ports. This takes much longer due to the operation of the UDP protocol. The fourth command monitors ports using both protocols. With the help of z nmap, we can check our ports "from the outside".
nc/ncat
Az nc/ncat (Netcat) is a command-line utility that writes and reads data over network connections using the TCP or UDP protocol. It is one of the most effective tools in the system administrator's arsenal, which is why it is often referred to as the Swiss Army Knife of network tools. Netcat is cross-platform, so it is available on several operating systems such as Linux, macOS, Windows, and BSD. Netcat can be used to debug and monitor network connections, search for open ports, transfer data, etc.
The program is already pre-installed in most distributions, but if by chance it is not on your computer, install it with the following command:
sudo apt-get install ncat
The basic syntax of the netcat utility is as follows:
nc [opciók] hoszt port
The command can be used to query ports on remote computers to determine whether they are open or not, using the following syntax:
nc -vz <hosztnév vagy IP-cím> <TCP portszám>
nc -vzu <hosztnév vagy IP-cím> <UDP portszám>
Examples:
nc -vz debian10.linuxportal.vm 80
nc -vzu debian10.linuxportal.vm 53
The first command can be used to check a TCP port, while the second one can check a UDP port.
Conclusion
As you can see, there are several options for checking the network ports of our computer or server. We can check ports "in-house" with various commands, but we can also perform port scanning externally to make sure our system is secure.
- To post registration and login required
- 526 views