List All Open Ports on Linux

portsnetworkingssnetstatsecurityauditlsof
4 min read

Quick Answer

Run ss -tlnp to list every TCP port your server is actively listening on, the process name attached to it, and whether it is bound to all interfaces (0.0.0.0 — network-reachable) or localhost only (127.0.0.1 — safe). The ss command replaced netstat as the default on modern Linux distributions in 2016; it reads directly from kernel socket tables and returns results faster. The output columns are State, Recv-Q, Send-Q, Local Address:Port, and Process. The Local Address column is the one that matters: 0.0.0.0:PORT or :::PORT means external traffic can reach that service. 127.0.0.1:PORT means it is only accessible from the machine itself. Run with sudo for full process detail — without root, ports held by other users show the port without the owning process name.

You don't know what your server is listening on until something that shouldn't be externally reachable is. A misconfigured service, a forgotten debug port, a package that auto-started on install — any of them can be sitting on an open port right now. This script maps all of them in one run.

What Does the Open Port Audit Script Look Like?

bash
#!/bin/bash # Script: list-open-ports.sh # Purpose: Audit every port your server listens on — find forgotten services before attackers do # Usage: sudo ./list-open-ports.sh set -euo pipefail CHECK="✓" CROSS="✗" echo "=== Listening TCP Ports ===" echo "" if command -v ss &>/dev/null; then ss -tlnp elif command -v netstat &>/dev/null; then echo "(ss not found — using netstat)" netstat -tlnp else echo "$CROSS Neither ss nor netstat found. Install iproute2 or net-tools." exit 1 fi echo "" echo "=== Listening UDP Ports ===" echo "" if command -v ss &>/dev/null; then ss -ulnp else netstat -ulnp fi echo "" echo "=== Port-to-Process Map (lsof) ===" echo "" if [[ $EUID -ne 0 ]]; then echo "(run with sudo for full process detail)" fi if command -v lsof &>/dev/null; then lsof -i -P -n | grep LISTEN || echo "No LISTEN sockets found by lsof" fi echo "" echo "$CHECK Audit complete. Investigate any port you cannot explain."

What each flag does

  • command -v ss — checks whether ss is available before calling it; falls back to netstat. Hard-failing on missing tools would make the script useless on older systems.
  • ss -tlnp-t TCP, -l listening sockets only, -n numeric ports (no DNS resolution — faster), -p show process. Requires root for process names.
  • ss -ulnp — same flags but -u for UDP. DNS (53), NTP (123), and DHCP are expected. Anything else warrants a second look.
  • lsof -i -P -n | grep LISTEN-i network connections, -P numeric ports, -n skip hostname resolution. The process-name-first view makes it easier to identify services at a glance.
  • $EUID -ne 0 — warns without failing when run without root. The port list still works; only the process column is incomplete.

How Do I Read the ss Output?

The column that determines your exposure is Local Address:Port:

Address prefixMeaning
0.0.0.0:PORTListens on all IPv4 interfaces — externally reachable
:::PORTListens on all IPv6 interfaces — may accept IPv4 too
127.0.0.1:PORTLocalhost only — not reachable from outside
::1:PORTIPv6 loopback — localhost only

Any port in 0.0.0.0 or ::: that you cannot name and justify should be firewalled before the machine is internet-facing.

What Are the Common Variations?

Check one specific port:

bash
ss -tlnp | grep :8080 lsof -i :8080

Show only ports bound to all interfaces (externally reachable):

bash
ss -tlnp | grep '0\.0\.0\.0\|:::'

Check whether a port is open on a remote host:

bash
nc -zv remotehost 443 2>&1

How Do I Automate Open Port Monitoring?

Run weekly and diff the output to catch newly opened ports:

bash
0 6 * * 1 /opt/scripts/list-open-ports.sh > /tmp/ports-$(date +\%Y\%m\%d).txt && \ diff /tmp/ports-prev.txt /tmp/ports-$(date +\%Y\%m\%d).txt | mail -s "Port changes" admin@yourdomain.com

New ports appearing between audits

A package update, a misconfigured service, or a developer leaving a debug endpoint running can open a new port without any explicit firewall change. Weekly diffing catches this. If you find an unrecognized LISTEN port, cross-reference the process name against the kill process on port script to terminate it cleanly — SIGTERM first, SIGKILL only if the process ignores it. Pair the port audit with the file permissions security audit to cover both network exposure and filesystem exposure in a single review session.

Frequently Asked Questions

What is the difference between ss and netstat?

ss reads from kernel socket tables directly — faster and maintained. netstat reads from /proc and was deprecated when iproute2 replaced net-tools on most distributions around 2016. The information is equivalent; only the format differs slightly.

Why do some entries show no process name?

Process names require root. A port held by a system service or a different user shows the address and port without the owning PID when run unprivileged. Run with sudo for complete output.

What does 0.0.0.0 vs 127.0.0.1 mean?

0.0.0.0 or ::: means the service accepts connections on all network interfaces — external traffic can reach it. 127.0.0.1 or ::1 means localhost only — only processes on the same machine can connect.

How do I check one specific port?

ss -tlnp | grep :8080 is the fastest method. lsof -i :8080 gives the same result with the process name more prominently displayed.

Should I worry about high-numbered ports?

Only LISTEN state entries matter here. Ephemeral ports (32768–60999) used for outgoing connections won't appear in LISTEN. Any LISTEN port you cannot explain and justify should be disabled or firewalled.

Part of the Linux Security guide

Running a public-facing droplet? Audit open ports before you open firewall rules.

Get $200 free credit — DigitalOcean

Get $200 Free →

Affiliate link · we earn a commission

BashSnippets logo

Written by Anguishe

Creator of BashSnippets.xyz

bashsnippets.xyz/about

Run this script on a real Linux server

Get $200 free credit — DigitalOcean

Get $200 Free →

Affiliate link · we earn a commission

Need a domain for your next project?

Register with Namecheap — free WHOIS privacy included

Check Domain Prices →

Affiliate link · we earn a commission

Related Snippets

Disk Space Warning Script

Copy a disk space warning bash script using df, thresholds, cron, and email alerts. Monitor Linux servers and prevent full drives.

Automated File Backup

Accidental deletion or disk failure permanently destroys data with no undo on Linux. Timestamps each cp -r run with a date string so backups never overwrite each other.

Quick System Info Report

Guessing server state during an outage costs response time. One bash script snapshots hostname, uptime, CPU load, RAM, disk usage, and IP address in one run — no extra packages.

Frequently Asked Questions

faq — snippet

What is the difference between ss and netstat?

ss reads directly from kernel socket tables and is faster. netstat reads from /proc and was deprecated in favor of ss on most distributions. Output format differs slightly but the information is equivalent. ss ships with iproute2 (installed everywhere); netstat requires net-tools (not always present).

faq — snippet

Why do some ports show no process name?

You need root privileges to see the PID and process name for ports held by system services or other users. Run the script with sudo for complete output.

faq — snippet

What does 0.0.0.0 vs 127.0.0.1 mean in the output?

0.0.0.0 means the service is listening on all IPv4 interfaces — external traffic can reach it. 127.0.0.1 means localhost only — not reachable from outside the machine. ::: is the IPv6 equivalent of 0.0.0.0 and may also accept IPv4 traffic depending on kernel settings.

faq — snippet

How do I check if one specific port is open?

Pipe the output through grep: ss -tlnp | grep :8080. For a quick yes/no, lsof -i :8080 is even faster.

faq — snippet

Should I be worried about high-numbered ports in the output?

Only ports in LISTEN state matter for this audit. Ephemeral ports (32768-60999) are used for outgoing connections and won't appear as LISTEN. Any LISTEN port you cannot identify and explain is worth investigating.

← All Snippets↑ Back to top