Ports are logical endpoints that allow network devices to communicate with each other using protocols such as TCP and UDP. Each port has a number that identifies it and a service that listens on it for incoming connections. For example, port 80 is usually used by web servers to serve web pages, while port 22 is used by SSH servers to allow remote access.
Knowing how to check open [ports](https://www.binaryte.com/blog/essential- ports-numbers-explained) in Linux is essential for network administration and troubleshooting. Open ports can indicate what services are running on a system, what network connections are established, and what potential vulnerabilities exist. However, open ports can also pose security risks if they are not properly secured or monitored.
Today, we will learn how to check open ports in Linux using various tools and commands, such as netstat, ss, lsof, nmap, and nc. You will also learn how to secure ports in Linux using firewalls, port knocking, changing default passwords, and removing unnecessary services.
How to Check Open Ports in Linux
There are many ways to check open ports in Linux, but we will focus on five common tools and commands that can help you scan your system or a remote host for open ports.
netstat
netstat is a command-line tool that displays network connections, routing tables, and interface statistics. It can also show you what ports are listening on your system and what services are using them.
To use netstat to check open ports in Linux, you can run the following command:
sudo netstat -tunlp
The command uses several options:
-t
- shows TCP ports-u
- shows UDP ports-n
- shows numerical addresses instead of hostnames-l
- shows listening ports-p
- shows process IDs and names
You can see the protocol, local address, foreign address, state, and process name for each port. For example, you can see that port 22 is used by sshd (SSH daemon), while port 80 is used by apache2 (web server).
You can also use netstat with other options or filters to narrow down your
results. For example, you can use -a
to show all ports (including non-
listening ones), -s
to show statistics by protocol, or -c
to show
continuous updates.
ss
ss is another command-line tool that displays socket statistics. It is similar to netstat but faster and more powerful. It can also show you what ports are listening on your system and what services are using them.
To use ss to check open ports in Linux, you can run the following command:
sudo ss -tunlp
The command uses the same options as netstat:
-t
- shows TCP ports-u
- shows UDP ports-n
- shows numerical addresses instead of hostnames-l
- shows listening ports-p
- shows process IDs and names
You can see the same information as netstat but in a different format. For example, you can see that port 22 is used by sshd (SSH daemon), while port 80 is used by apache2 (web server).
You can also use ss with other options or filters to narrow down your results.
For example, you can use -a
to show all ports (including non-listening
ones), -s
to show summary statistics, or -4
or -6
to show only IPv4 or
IPv6 ports.
lsof
lsof is a command-line tool that lists open files on a system. It can also show you what ports are listening on your system and what services are using them.
To use lsof to check open ports in Linux, you can run the following command:
sudo lsof -i -P -n
The command uses several options:
-i
- shows network files-P
- shows port numbers instead of names-n
- shows numerical addresses instead of hostnames
You can see the command, PID, user, file descriptor, type, device, size, node, name, and state for each port. For example, you can see that port 22 is used by sshd (SSH daemon), while port 80 is used by apache2 (web server).
You can also use lsof with other options or filters to narrow down your
results. For example, you can use -u
to show only ports used by a specific
user, -p
to show only ports used by a specific process, or -iTCP
or
-iUDP
to show only TCP or UDP ports.
nmap
nmap is a powerful network scanning tool that can scan single hosts or large networks. It can also show you what ports are open on a remote system and what services are running on them.
To use nmap to check open ports in Linux, you need to install it first. You can download it from the official nmap website or install it using your package manager.
Once installed, you can run the following command to scan for open ports on a remote system:
sudo nmap -sT -p- <IP address>
The command uses several options:
-sT
- performs a TCP connect scan-p-
- scans all 65535 ports<IP address>
- specifies the target IP address
You can see the port number, state, service name, and version for each open port. For example, you can see that port 22 is open and running OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0), while port 80 is open and running Apache httpd 2.4.38 ((Debian)).
You can also use nmap with other options or filters to customize your scan.
For example, you can use -sU
to scan for UDP ports, -O
to detect the
operating system, or -A
to perform an aggressive scan that includes service
detection, version detection, OS detection, and traceroute.
nc
nc (or netcat) is a simple command-line tool that can read and write data across network connections using TCP or UDP protocols. It can also be used to check open ports in Linux by sending packets to them and checking the response.
To use nc to check open ports in Linux, you can run the following command:
nc -z -v <IP address> <port range>
The command uses several options:
-z
- scans for listening ports without sending any data-v
- enables verbose mode<IP address>
- specifies the target IP address<port range>
- specifies the range of ports to scan
You can see the connection attempt and the response for each port. For example, you can see that port 22 is open and responds with SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2, while port 80 is open and responds with HTTP/1.1 400 Bad Request.
You can also use nc with other options or filters to customize your scan. For
example, you can use -u
to scan for UDP ports, -w
to set a timeout for
each connection attempt, or -n
to disable DNS resolution.
How to Secure Ports in Linux
Having open ports in Linux is not necessarily a bad thing as long as they are used by legitimate services and applications. However, open ports can also expose your system to potential attacks if they are not properly secured or monitored.
There are several ways to secure ports in Linux, such as using firewalls, port knocking, changing default passwords, and removing unnecessary services. Here are some tips and examples for each method.
Use Firewalls
Firewalls are software or hardware devices that filter incoming and outgoing network traffic based on predefined rules. They can help you block unwanted connections and allow only authorized ones.
There are different types of firewalls available for Linux, such as iptables, ufw, firewalld, and nftables. Each firewall has its own syntax and features, but they all share the same basic concept of creating rules based on criteria such as source and destination addresses, protocols, ports, and actions.
For example, if you want to use iptables to allow only SSH connections from a specific IP address (say 192.168.1.100) to your system on port 22, you can run the following commands:
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
The first command appends (-A) a rule to the INPUT chain that accepts (-j ACCEPT) TCP packets (-p tcp) with destination port 22 (—dport 22) from source address 192.168.1.100 (-s 192.168.1.100).
The second command appends (-A) a rule to the INPUT chain that drops (-j DROP) TCP packets (-p tcp) with destination port 22 (—dport 22) from any other source address.
You can also use other firewalls with similarsyntax and features, but they all share the same basic concept of creating rules based on criteria such as source and destination addresses, protocols, ports, and actions.
Using firewalls can help you secure your ports by allowing only the connections that you need and blocking the ones that you don’t. However, you should also be careful not to create rules that are too restrictive or too permissive, as they can affect your system’s functionality or security.
Use Port Knocking
Port knocking is a technique that hides your open ports from unauthorized users by requiring a specific sequence of connection attempts to a set of closed ports before opening the desired port. This way, only the users who know the secret knock can access your open ports.
There are different ways to implement port knocking in Linux, such as using iptables, knockd, or fwknop. Each method has its own advantages and disadvantages, but they all share the same basic concept of creating rules that monitor the connection attempts to the closed ports and trigger the opening or closing of the desired port.
For example, if you want to use knockd to hide your SSH port (22) and require a knock sequence of 1000, 2000, 3000 to open it and 4000, 5000, 6000 to close it, you can install knockd using your package manager and edit its configuration file (/etc/knockd.conf) as follows:
[options] UseSyslog
[openSSH] sequence = 1000,2000,3000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp —dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 4000,5000,6000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp —dport 22 -j ACCEPT tcpflags = syn
The configuration file uses several options:
- [options] - sets global options for knockd
- UseSyslog - enables logging to syslog
- [openSSH] - defines a section for opening SSH port
- sequence - specifies the knock sequence for opening SSH port
- seq_timeout - specifies the time limit (in seconds) for completing the knock sequence
- command - specifies the command to execute when the knock sequence is completed
- tcpflags - specifies the TCP flags to match for each packet in the knock sequence
- [closeSSH] - defines a section for closing SSH port
- sequence - specifies the knock sequence for closing SSH port
- seq_timeout - specifies the time limit (in seconds) for completing the knock sequence
- command - specifies the command to execute when the knock sequence is completed
- tcpflags - specifies the TCP flags to match for each packet in the knock sequence
After saving the configuration file, you can start knockd using the following command:
sudo service knockd start
To test your port knocking setup, you can use nc or nmap from another system to scan your SSH port. You should see that it is closed by default. Then, you can use knock from another system to send the knock sequence to your system. You should see that your SSH port is open after sending the correct sequence. You can also use knock to send the close sequence to close your SSH port.
Using port knocking can help you secure your ports by hiding them from unauthorized users and making them accessible only to those who know the secret knock. However, you should also be aware of the limitations and risks of port knocking, such as replay attacks, timing attacks, or brute force attacks.
Change Default Passwords
Another way to secure your ports in Linux is to change the default passwords of your services and applications that use them. Default passwords are often weak and easy to guess by attackers who can exploit them to gain access to your system.
For example, if you use SSH to access your system remotely, you should change the default password of your root user or any other user that has SSH access. You can use the passwd command to change your password in Linux. You should also use strong passwords that are long, complex, and unique.
To further enhance your SSH security, you can also disable root login, enable public key authentication, limit user access, and use fail2ban or denyhosts to prevent brute force attacks.
Changing default passwords can help you secure your ports by preventing unauthorized access to your services and applications that use them. However, you should also remember your passwords and store them securely.
Remove Unnecessary Services
Another way to secure your ports in Linux is to remove unnecessary services and applications that use them. Unnecessary services are those that you don’t need or use on your system. They can consume resources and create security risks if they are not properly configured or updated.
For example, if you don’t need a web server on your system, you can remove apache2 or any other web server that uses port 80. You can use your package manager to remove the packages that you don’t need. You should also check your system for any services that are running in the background and stop or disable them if they are not needed.
Removing unnecessary services can help you secure your ports by reducing the attack surface and freeing up resources on your system. However, you should also be careful not to remove any services that are essential for your system’s functionality or security.
Conclusion
In this article, you learned how to check and secure open ports in Linux using various tools and commands, such as netstat, ss, lsof, nmap, and nc. You also learned how to use firewalls, port knocking, changing default passwords, and removing unnecessary services to enhance your port security. Checking and securing open ports in Linux is an important skill for network administration and security. By following the tips and examples in this article, you can improve your system’s performance and protection.