Some Linux software works by listening for incoming connections. A simple example would be a web server, which handles user requests whenever someone navigates to a website. As a Linux administrator or user, it's important to always know which ports of your system are open to the internet. Otherwise, you could be unaware of outside connections being made to your computer, which consumes bandwidth and resources, along with being a potential security hole.

In this guide, we'll see how to check for open ports on Ubuntu Linux. This can be done with several different command line utilities, which we'll go over in detail. We'll also see how to use Ubuntu's ufw firewall to make sure ports are secure. So, do you know which ports of your system are open? Let's find out.

In this tutorial you will learn:
  • How to check for open ports with ss command
  • How to check for open ports with Nmap utility
  • How to check for and add allowed ports in ufw firewall
Checking for open ports on Ubuntu Linux with the ss command
Checking for open ports on Ubuntu Linux with the ss command
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Ubuntu Linux
Software ss, Nmap, ufw firewall
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

Check for open ports with ss command

The ss command can be used to show which ports are listening for connections. It also shows which networks it's accepting the connections from.

We recommend using the -ltn options with the command to see concise and relevant output. Let's look at an example on our test system.

$ sudo ss -ltn
State      Recv-Q     Send-Q         Local Address:Port            Peer Address:Port     Process     
LISTEN     0          4096           127.0.0.53%lo:53                   0.0.0.0:*                    
LISTEN     0          5                  127.0.0.1:631                  0.0.0.0:*                    
LISTEN     0          70                 127.0.0.1:33060                0.0.0.0:*                    
LISTEN     0          151                127.0.0.1:3306                 0.0.0.0:*                    
LISTEN     0          5                      [::1]:631                     [::]:*                    
LISTEN     0          511                        *:80                         *:* 

We can see that our server is listening for connections on port 80, 3306, and 33060. These are the well known ports associated with HTTP and MySQL.

You'll also see that the ss output shows ports 53 and 631 are in a listening state. These are for DNS and Internet Printing Protocol, respectively. These are enabled by default, so you'll likely see them listening on your own system. The DNS port isn't actually open, but rather it provides name resolution to applications installed on our system.


SUBSCRIBE NEWSLETTER & RSS
Subscribe to RSS and NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


To see which processes these listening ports belong to, include the -p option in your command.

$ sudo ss -ltnp
State    Recv-Q   Send-Q      Local Address:Port        Peer Address:Port   Process                                      
LISTEN   0        4096        127.0.0.53%lo:53               0.0.0.0:*       users:(("systemd-resolve",pid=530,fd=13))   
LISTEN   0        5               127.0.0.1:631              0.0.0.0:*       users:(("cupsd",pid=572,fd=7))              
LISTEN   0        70              127.0.0.1:33060            0.0.0.0:*       users:(("mysqld",pid=2320,fd=32))           
LISTEN   0        151             127.0.0.1:3306             0.0.0.0:*       users:(("mysqld",pid=2320,fd=34))           
LISTEN   0        5                   [::1]:631                 [::]:*       users:(("cupsd",pid=572,fd=6))              
LISTEN   0        511                     *:80                     *:*       users:(("apache2",pid=2728,fd=4),("apache2",pid=2727,fd=4),("apache2",pid=2725,fd=4))

Now we can see that systemd-resolve, cupsd, mysqld, and apache2 are the services that are utilizing the ports to listen for incoming connections.

Check for open ports with nmap

Nmap is a network reconnaissance tool that can be used to check for open ports on remote hosts. However, we can also use it to check our own system to get a quick list of what ports are open.

Normally, we would specify a remote IP address for Nmap to scan. Instead, we can scan our own system by specifying localhost in the command.

$ sudo nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-12 20:43 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

Check what ports are open in ufw firewall

There's a big caveat you should keep in mind. When using the ss or nmap localhost commands on our local system, we're bypassing the firewall. Indeed, these commands show ports that are in a listening state, but that doesn't necessarily mean that the ports are open to the internet, because our firewall may be denying connections.

Check the status of ufw firewall with the following command.

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip


From the output, we can see that ufw is denying incoming connections. Since port 80 and 3306 have not been added as exceptions, HTTP and MySQL are not able to receive incoming connections, despite ss and nmap reporting that they are in a listening state.

Let's add exceptions for these ports with the following commands.

$ sudo ufw allow 80/tcp
Rule added
Rule added (v6)
$ sudo ufw allow 3306/tcp
Rule added
Rule added (v6)

We can check the status of ufw again, to see that the ports are now open.

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere                  
3306/tcp                   ALLOW IN    Anywhere                  
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
3306/tcp (v6)              ALLOW IN    Anywhere (v6)

Now our two ports are open in the firewall and in a listening state. To learn more about ufw firewall, including command examples, check our guide on installing and using ufw firewall on Linux.

Closing Thoughts

In this guide, we saw how to use the ss command, as well as the nmap utility to check for listening ports on Ubuntu Linux. We also learned how to check ufw firewall to see what ports are open, and add exceptions if necessary.

If a port is in a listening state and is allowed through the firewall, it should be open to incoming connections. But this is also dependent on your router or other network devices sitting between your computer and the internet, since they may have their own rules that block incoming connections.

FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.