Checking for open ports on Ubuntu Linux is an essential part of security administration. Some Linux software works by listening for incoming connections. A simple example would be a web server, which handles user requests on HTTP port 80 or HTTPS port 443 whenever someone navigates to a website. As a Linux administrator or user, it’s important to always know which ports of your system are open to the internet. Otherwise, you could be unaware of outside connections being made to your computer, which consumes bandwidth and resources, along with being a potential security vulnerability.
In this tutorial, we’ll see how to check for open ports on Ubuntu Linux. This can be done with several different command line utilities, which we’ll go over in detail. We’ll also see how to use Ubuntu’s ufw firewall to make sure ports are secure. So, do you know which ports of your system are open? Let’s find out.
In this tutorial you will learn:
- How to check for open ports with
sscommand - How to check for open ports with Nmap utility
- How to check for and add allowed ports in ufw firewall
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Ubuntu Linux |
| Software | ss, Nmap, ufw firewall |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Check for open ports with ss command
The ss command can be used to show which ports are listening for connections. It also shows which networks it’s accepting the connections from.
The
ss command replaced the older netstat command on Linux. You can still install and use the netstat command to check for open ports as well.We recommend using the -ltn options with the command to see concise and relevant output. Let’s look at an example on our test system.
$ sudo ss -ltn State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* LISTEN 0 5 [::1]:631 [::]:* LISTEN 0 511 *:80 *:*
We can see that our server is listening for connections on port 80, 3306, and 33060. These are the well known ports associated with HTTP and MySQL.
You’ll also see that the ss output shows ports 53 and 631 are in a listening state. These are for DNS and Internet Printing Protocol, respectively. These are enabled by default, so you’ll likely see them listening on your own system. The DNS port isn’t actually open, but rather it provides name resolution to applications installed on our system.
To see which processes these listening ports belong to, include the -p option in your command.
$ sudo ss -ltnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=530,fd=13))
LISTEN 0 5 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=572,fd=7))
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* users:(("mysqld",pid=2320,fd=32))
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=2320,fd=34))
LISTEN 0 5 [::1]:631 [::]:* users:(("cupsd",pid=572,fd=6))
LISTEN 0 511 *:80 *:* users:(("apache2",pid=2728,fd=4),("apache2",pid=2727,fd=4),("apache2",pid=2725,fd=4))
Now we can see that systemd-resolve, cupsd, mysqld, and apache2 are the services that are utilizing the ports to listen for incoming connections.
Check for open ports with nmap
Nmap is a network reconnaissance tool that can be used to check for open ports on remote hosts. However, we can also use it to check our own system to get a quick list of what ports are open.
Normally, we would specify a remote IP address for Nmap to scan. Instead, we can scan our own system by specifying localhost in the command.
$ sudo nmap localhost Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-12 20:43 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000012s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 631/tcp open ipp 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Check what ports are open in ufw firewall
There’s a big caveat you should keep in mind. When using the ss or nmap localhost commands on our local system, we’re bypassing the firewall. Indeed, these commands show ports that are in a listening state, but that doesn’t necessarily mean that the ports are open to the internet, because our firewall may be denying connections.
Check the status of ufw firewall with the following command.
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
From the output, we can see that ufw is denying incoming connections. Since port 80 and 3306 have not been added as exceptions, HTTP and MySQL are not able to receive incoming connections, despite ss and nmap reporting that they are in a listening state.
Let’s add exceptions for these ports with the following commands.
$ sudo ufw allow 80/tcp Rule added Rule added (v6) $ sudo ufw allow 3306/tcp Rule added Rule added (v6)
We can check the status of ufw again, to see that the ports are now open.
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 80/tcp ALLOW IN Anywhere 3306/tcp ALLOW IN Anywhere 80/tcp (v6) ALLOW IN Anywhere (v6) 3306/tcp (v6) ALLOW IN Anywhere (v6)
Now our two ports are open in the firewall and in a listening state. To learn more about ufw firewall, including command examples, check our guide on installing and using ufw firewall on Linux.
Closing Thoughts
In this tutorial, we saw how to use the ss command, as well as the nmap utility to check for listening ports on Ubuntu Linux. We also learned how to check ufw firewall to see what ports are open, and add exceptions if necessary. For security hardening, administrators should only have necessary ports open to the internet. If your server is not hosting anything that needs to listen on a particular port, then it is best practice to close that port in your firewall configuration.
If a port is in a listening state and is allowed through the firewall, it should be open to incoming connections. But this is also dependent on your router or other network devices sitting between your computer and the internet, since they may have their own rules that block incoming connections.