Check OPEN Ports in Linux [Like a PRO]

In the vast world of Linux, understanding how to monitor and manage network connections is essential for both system administrators and users alike. One of the key aspects of this process is knowing how to check open ports in Linux. By gaining insights into which ports are open or in use, you can effectively ensure the smooth functioning of your system, troubleshoot issues, and enhance overall security. In this article, we will delve into the intricacies of checking available ports in Linux, exploring various commands and tools that can help you identify and manage these critical communication gateways. So, whether you are a seasoned professional or a newcomer to Linux, this comprehensive guide will equip you with the necessary knowledge and skills to efficiently manage your system's ports.

"Open Port" Vs "Listening Port". Are the same?

Do you want to check if a port is open on the destination server or between source and destination server?

OR

Do you want to check if a port is in LISTENING state on the destination server.

Open ports and listening ports are terms used in networking to describe the state of a network port on a computer or device. Though they are often used interchangeably, there is a subtle difference between the two:

1. Open Port: An open port is a network port that is configured to accept incoming connections from external sources. This means that the port is not blocked by a firewall or any other security mechanism, allowing data packets to flow in and out. Open ports are necessary for various services and applications to function correctly, as they provide a means of communication between the application and the external network.
2. Listening Port: A listening port is a specific state of an open port where a service or application is actively waiting (or "listening") for incoming connections from clients. When a client attempts to establish a connection with a server, it sends a request to the listening port. Once the server receives the request, it can accept the connection, and the communication between the client and the server begins.

You have to understand the difference and your requirement.

As it doesn't necessarily mean that if a port is not listening then it is not open. A port will be in LISTEN state only when it is in use by some process or else a port can be open and free but since it is not in USE it will not be listed with netstat, lsof, ss commands etc.

So I hope you are clear with your requirement.

List of methods to check open ports in Linux

1. Telnet: You can use the telnet command to check if a specific port is open on a remote host by attempting to establish a connection. Example: telnet <IP_ADDRESS> <PORT_NUMBER>
2. Nmap: Nmap (Network Mapper) is a powerful and versatile open-source tool for scanning and analyzing networks. You can use Nmap to check if a port is open on a remote host. Example: nmap <IP_ADDRESS> -p <PORT_NUMBER>
3. Netcat (nc): Netcat is another versatile networking tool that can be used to check if a port is open on a remote host by attempting to establish a connection. Example: nc -zv <IP_ADDRESS> <PORT_NUMBER>

1. Using nmap

Nmap (Network Mapper) is a powerful open-source tool widely used for network discovery, security auditing, and port scanning. It can help you identify open ports on a remote host or a range of hosts, providing valuable information about the services running on the target system and its potential vulnerabilities.

First, ensure that Nmap is installed on your Linux system. If it's not installed, you can install it using the package manager for your distribution. For example:

On Debian/Ubuntu-based systems, use the following command:

sudo apt-get install nmap

On Fedora systems, use the following command:

sudo dnf install nmap

On CentOS/RHEL systems, use the following command:

sudo yum install nmap

Currently I have not added any firewall rules on my destination server:

[root@server-2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now let us check open ports between 35520-35522 on this server using some different client machine with nmap:

We have used -PN to perform TCP SYN/ACK check on the provided list of ports but the output claims that all of these ports are closed. But this is not correct as there is no firewall on server-2 and this setup in in my local LAN so no other firewalls in between these servers.

Now here are the list of listening ports on server-2:

So if we try to scan these listening ports using nmap:

All of these ports are marked as OPEN. So unless your ports are in use by some process, they will not be marked as OPEN.

Let's perform some more tests. I will DROP all the incoming requests and only allow certain ports on server-2 using iptables:

[root@server-2 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@server-2 ~]# iptables -P INPUT  DROP
[root@server-2 ~]# iptables -A INPUT -p tcp --dport 35520 -j ACCEPT

List the applied rules

[root@server-2 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:35520
...

So I have explicitly allowed port 35520, now let's perform nmap scan for this port and some others:

Now port 35520 is marked as CLOSED as it is explicitly allowed in iptables but currently is not in use while others are marked as FILTERED as they are blocked in firewall.

Understanding different states in nmap

Though the current version of NMAP is capable of performing many tasks, it initially started out as a port scanner. NMAP has certain ways to detect whether the port on the target system is open or closed. NMAP detects the status of the target port using predefined states as follows:

• Open: The Open state indicates that an application on the target system is actively listening for connections/packets on that port.
• Closed: The Closed state indicates there isn’t any application listening on that port. However, the port state could change to Open in the future.
• Filtered: The Filtered state indicates that either a firewall, a filter, or some kind of network hurdle is blocking the port and hence NMAP isn’t able to determine whether it is open or closed.
• Unfiltered: The Unfiltered state indicates that ports are responding to NMAP probes; however, it isn’t possible to determine whether they are open or closed.
• Open/Filtered: The Open/Filtered state indicates that the port is either filtered or open; however, NMAP isn’t precisely able to determine the state.
• Closed/Filtered: The Closed/Filtered state indicates that the port is either filtered or closed; however, NMAP isn’t precisely able to determine the state.

2. Using hping3 tool

Hping3 is a versatile command-line utility that allows you to perform various network tasks, such as sending custom ICMP/TCP/UDP packets, traceroute, and port scanning. You can use hping3 to check open ports on a remote host by crafting and sending custom TCP packets and analyzing the response.

You may download hping3 using EPEL repo.

We will retain the iptables rule which we applied in the previous example where we had blocked all the ports except 22 and 35520 and perform network scan using hping3:

So based on the above hint, hping3 got a RESET request with ACK on port 35520 which means the port may be in OPEN state while the other ports in the provided range are not responding so they are closed.

If any of the port is in LISTENING state then hping3 will return SYN and ACK flag as shown below:

[root@server-1 ~]# hping3 --scan 22 -S server-2 -V
using eth1, addr: 192.168.0.153, MTU: 1500
Scanning server-2 (192.168.0.114), port 22
1 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   22 ssh        : .S..A...  64     0 29200    46
All replies received. Done.
Not responding ports:

3. Using nc command

The nc (Netcat) command is a versatile networking tool that can be used for various purposes, such as creating a simple chat server, transferring files, or port scanning. You can use Netcat to check if a specific port is open on a remote host by attempting to establish a connection and observing the result. nc can be used to open any port and mark it as listening and then on the client server you can again use nc to send some dummy data to test firewall rule.

To check open ports, use the following command:

nc -v <IP_ADDRESS> <PORT_NUMBER>

where -v enables verbose mode, providing more detailed output.

Let us retain the above applied iptables rule, so on our server port 35520 is allowed in the firewall. To test this firewall rule, we will enable port 35520 using nc:

[root@server-2 ~]# nc -l 35520 -v
Listening on 0.0.0.0 3552

So our server is now listening on port 35520, now let's try to connect to this port using any other client node:

[root@server-1 ~]# nc server-2 35520 -v
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.0.114:35520.

Similarly let's try to test firewall rule for any other port which is blocked (we have blocked all the ports except 35520 and 22):

[root@server-2 ~]# nc -l 35521 -v
Listening on 0.0.0.0 35521

Since port 35521 port is blocked in the firewall, the same will not be accessible from server-1:

[root@server-1 ~]# nc server-2 35521 -v
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connection timed out.

You can also scan a range of ports using the nc command. To do so, specify the range using a hyphen (-) or separate multiple ports using a comma (,). For example:

nc -v <IP_ADDRESS> 80-100

4. Using telnet command

Telnet is a command-line network protocol that allows you to interact with remote devices or servers over a text-based interface. It was primarily used for remote management of Unix-like systems and network equipment. Although Telnet is considered insecure due to the lack of encryption and has been largely replaced by SSH, it can still be useful as a simple tool to check if a specific port is open on a remote host.

Here's how to use the telnet command to check open ports on a remote host:

telnet <IP_ADDRESS> <PORT_NUMBER>

Replace <IP_ADDRESS> with the IP address or domain name of the target host, and <PORT_NUMBER> with the port number you want to check.

If the port is open, you'll see a response indicating a successful connection, such as:

Trying <IP_ADDRESS>...
Connected to <DOMAIN_NAME>.
Escape character is '^]'.

If you successfully connect to an open port, you'll need to close the connection. To do so, press Ctrl + ] to access the Telnet command prompt, then type quit and press Enter.

If the port is closed or unreachable, you'll see a response indicating a failed connection, such as:

Trying <IP_ADDRESS>...
telnet: Unable to connect to remote host: Connection refused

List of methods to check listening ports in Linux

1. Netstat: The netstat command is a widely used utility to display various network-related information, including listening ports. Example: netstat -tuln (for TCP and UDP ports in numeric format)
2. SS (Socket Statistics): SS is a modern alternative to netstat and can be used to display detailed information about sockets, including listening ports. Example: ss -tuln (for TCP and UDP ports in numeric format)
3. lsof (List Open Files): lsof is a powerful command-line tool that can display information about open files, including listening ports. Example: lsof -i -P -n | grep LISTEN

1. Using netstat command

Netstat is a widely used utility that displays various network-related information, including listening ports. To check listening ports using netstat, run the following command:

netstat -tuln

In this command:

• -t: Show TCP connections.
• -u: Show UDP connections.
• -l: Show only listening sockets.
• -n: Display numerical addresses instead of resolving hostnames.

Sample Output:

# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:18080         0.0.0.0:*               LISTEN     
tcp        0      0 192.100.2.56:18080      0.0.0.0:*               LISTEN     
tcp        0      0 192.100.4.55:49152      0.0.0.0:*               LISTEN     
tcp        0      0 192.100.4.55:49153      0.0.0.0:*               LISTEN     
tcp        0      0 192.100.2.56:9153       0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:9090            0.0.0.0:*               LISTEN     

2. Using ss command

SS is a modern alternative to netstat and can display detailed information about sockets, including listening ports. To check listening ports using ss, run the following command:

ss -tuln

In this command:

• -t: Show TCP connections.
• -u: Show UDP connections.
• -l: Show only listening sockets.
• -n: Display numerical addresses instead of resolving hostnames.

Here is a sample output:

Netid State      Recv-Q Send-Q     Local Address:Port                    Peer Address:Port              
udp   UNCONN     0      0           192.100.2.56:53                                 *:*                  
udp   UNCONN     0      0                      *:68                                 *:*                  
udp   UNCONN     0      0                      *:68                                 *:*                  
udp   UNCONN     0      0                      *:68                                 *:*                  
udp   UNCONN     0      0                      *:68                                 *:*                  
udp   UNCONN     0      0                      *:68                                 *:*                  
udp   UNCONN     0      0                      *:68                                 *:*

3. Using lsof (List Open Files)

lsof is a powerful command-line tool that can display information about open files, including listening ports. To check for listening ports using lsof, run the following command:

sudo lsof -i -P -n | grep LISTEN

In this command:

• -i: Show Internet network files (TCP and UDP connections).
• -P: Display port numbers instead of names.
• -n: Display numerical addresses instead of resolving hostnames.
• grep LISTEN: Filter the output to show only listening sockets.

Here is a sample output:

~]# lsof -i -P -n | grep LISTEN
kube-sche   695  nobodytwo    7u  IPv6 256609924      0t0  TCP *:10251 (LISTEN)
kube-sche   695  nobodytwo    8u  IPv6 256609930      0t0  TCP *:10259 (LISTEN)
bcmt-cont  3061       root    7u  IPv6    432808      0t0  TCP *:8086 (LISTEN)
agent      4810     nobody    7u  IPv4    447596      0t0  TCP 127.0.0.1:65432 (LISTEN)
cephcsi    5518       root    6u  IPv4 441690382      0t0  TCP 192.100.2.56:9980 (LISTEN)
nginx      6034 cloud-user    7u  IPv4    674602      0t0  TCP 192.100.2.56:18080 (LISTEN)
nginx      6034 cloud-user   11u  IPv4    674728      0t0  TCP *:9090 (LISTEN)
nginx      6034 cloud-user   12u  IPv6    674729      0t0  TCP *:9090 (LISTEN)
nginx      6034 cloud-user   13u  IPv4    674731      0t0  TCP *:8082 (LISTEN)
nginx      6034 cloud-user   14u  IPv6    674732      0t0  TCP *:8082 (LISTEN)
nginx      6034 cloud-user   15u  IPv4    674734      0t0  TCP 127.0.0.1:18080 (LISTEN)

Summary

In Linux, checking available ports is an essential task for managing network connections and ensuring the security of your system. Various tools can be used to check open ports and to check listening ports in Linux, providing valuable information about running services, potential vulnerabilities, and network configurations. Some of the most commonly used tools for this purpose include netstat, ss, lsof, nmap, hping3, nc (Netcat), and telnet. These utilities offer different functionalities and options to monitor, analyze, and manage network connections effectively. Always remember to use these tools responsibly and ethically, as scanning remote hosts without permission may be considered intrusive and potentially illegal.

Further Readings

man page for hping3