# How to Get a List of All Open Ports in Linux


Knowing which ports are open on your Linux system is important for security and networking. Open ports represent services that are listening for connections from other computers. By default, Linux opens certain ports for essential services, but attackers can also use open ports to gain access.

Thankfully, Linux provides simple commands to list all open ports and help you audit your security.

In this beginner's guide, I'll explain what ports are, why they matter, and walk through different commands to list open ports on Linux. I'll try to use simple terms to make networking concepts relatable even if you're new to Linux administration.

## Understanding Ports and Services

First, what exactly is a "port" on Linux?

In networking, a port is a software-defined endpoint used by services to exchange data. For example, you connect to port 80 for unencrypted web traffic because web servers listen for HTTP requests on that port. Ports allow a single server to run multiple services.

Here are a few common ports and their associated services:

- **80** - HTTP (unencrypted web traffic)
- **443** - HTTPS (encrypted web traffic)
- **22** - SSH (secure remote access)
- **25** - SMTP (sending email)

When a port is open on the Linux server, that means a service is listening on the port and ready to respond to requests. Attackers often scan for open ports as part of probing for weaknesses. So you'll want to minimize ports that are unnecessarily open.

Now let's go over commands to list all open ports.

## Using netstat to List Open Ports

The `netstat` the command is the old-school Swiss army knife for network statistics on Linux. It can print quite a few reports, but we'll focus on the basics of listing open ports.

Run this to print both open TCP ports and UDP ports:

```plaintext
$ netstat -nutlp
```

Let's break down what those options mean:

- **n** - Prevents DNS lookup and shows IP addresses directly
- **u** - UDP ports
- **t** - TCP ports
- **l** - Listening ports
- **p** - Process/program name

You'll see output similar to this:

```plaintext
Proto Recv-Q Send-Q  Local Address          Foreign Address        State       PID/Program name
tcp        0      0  0.0.0.0:22             0.0.0.0:*              LISTEN      1234/sshd
tcp6       0      0  :::22                  :::*                   LISTEN      1234/sshd
```

The Local Address column tells you the open ports. 0.0.0.0 means all IPv4 addresses, while :: means all IPv6 addresses.

## Using ss to List Open Ports

The `ss` the command is a newer replacement for `netstat`. It can query socket statistics directly from the Linux kernel.

To print all open ports with `ss`:

```plaintext
$ ss -nutlp
```

It takes the same options as `netstat` above: show TCP/UDP ports, don't do DNS lookup, show only listening ports, and include processes.

The output is very similar to `netstat`. Overall `ss` is considered an improved version since it's faster and uses fewer system resources.

## Using lsof to Print Services Listening

The `lsof` stands for "list open files" - it prints what files and sockets are open by each process.

Run this variant to show only services listening on ports:

```plaintext
$ sudo lsof -i -P -n
```

Breaking down those options:

- **\-i** - Select only internet sockets
- **\-P** - Disable port name lookup
- **\-n** - Disable hostname lookup

This prints output like:

```plaintext
COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    1234     root    3u  IPv4   9055      0t0  TCP localhost:ssh (LISTEN)
sshd    1234     root    4u  IPv6   9056      0t0  TCP localhost:ssh (LISTEN)
```

The "LISTEN" in the NAME column indicates it's an open port listening for connections.

## List Only Open TCP Ports

Sometimes you want to filter out UDP ports for simpler results.

MySQL and PostgreSQL only use TCP for example, while DNS and DHCP use UDP.

To list just TCP ports open:

```plaintext
$ netstat -ntlp
```

Or with `ss`:

```plaintext
$ ss -ntl
```

This would omit UDP ports and show services listening over TCP only.

## Identifying High Port Numbers

When checking for open ports, pay special attention to any unrecognized high port numbers.

Applications should listen on registered ports below 1024. Hackers however sometimes open high ports above 1024 hoping they avoid attention.

For example, seeing port 12345 open could warrant further investigation:

```plaintext
Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp6       0      0  :::44167                :::*                    LISTEN
```

While it could be a misconfigured application, an unknown high port like that may be used by attackers, bitcoin miners, or other suspicious software. So always research unfamiliar ports.

%[https://developnsolve.com/opening-ports-in-a-linux-firewall-for-beginners]

## Summarizing Key Takeaways

Listing open ports with Linux is the first step in controlling exposure and closing security holes. Remember that each open port represents an attack surface for vulnerabilities.

Here are some key takeaways about managing ports:

- **Minimize ports** - If a port isn't necessary for a business service, close it
- **Review often** - Audit ports monthly or after major configuration changes
- **Research unfamiliar ports** - Don't allow applications to listen on high numbered ports without review
- **Layer security** - Combine firewall policies to control port access

Learning tools like `netstat`, `ss`, and `lsof` gives you visibility and control. Listing open ports regularly keeps you informed and catches issues early.

While open ports are necessary for providing services, be thoughtful about managing exposure. Take time to review and secure ports to lock down your Linux environment. Careful port configuration is fundamental to Linux server administration best practices.

