Raspberry Pi devices are commonly used to host a variety of lightweight services as they can do so very affordably. A simple example would be a web server, which handles user requests whenever someone navigates to a website. In order to make sure these services are accessible either on the local network or over the internet, we must make sure that the corresponding ports are open. Checking for open ports is also an essential security task that all administrators should perform in order to make sure that their Raspberry Pi only has the ports open that are necessary.
Otherwise, you could be unaware of outside connections being made to your Raspberry Pi, which consumes bandwidth and resources, along with being a potential security hole. In this tutorial, you will see how to check for open ports on a Raspberry Pi. This can be done with several different command line utilities, which we will go over in detail. We will also see how to use Raspberry Pi’s firewall to make sure ports are secure. So, do you know which ports of your Raspberry Pi are open? Let’s find out.
In this tutorial you will learn:
- How to check for open ports with
sscommand - How to check for open ports with Nmap utility
- How to check for and add allowed ports in nftables firewall
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Raspberry Pi |
| Software | ss, Nmap, nftables firewall |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Check for open ports with ss command
The ss command can be used to show which ports are listening for connections on your Raspberry Pi. It also shows which networks it’s accepting the connections from.
The
ss command replaced the older netstat command on Linux. You can still install and use the netstat command to check for open ports as well. We recommend using the -ltn options with the command to see concise and relevant output. Let’s look at an example on our Raspberry Pi.
$ sudo ss -ltn State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* LISTEN 0 5 [::1]:631 [::]:* LISTEN 0 511 *:80 *:*
We can see that our Raspberry Pi is listening for connections on port 80, 3306, and 33060. These are the well known ports associated with HTTP and MySQL.
You will also see that the ss output shows ports 53 and 631 are in a listening state. These are for DNS and Internet Printing Protocol, respectively. These are enabled by default, so you’ll likely see them listening on your own Raspberry Pi. The DNS port isn’t actually open, but rather it provides name resolution to applications installed on our system.
To see which processes these listening ports belong to, include the -p option in your command.
$ sudo ss -ltnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=530,fd=13))
LISTEN 0 5 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=572,fd=7))
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* users:(("mysqld",pid=2320,fd=32))
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=2320,fd=34))
LISTEN 0 5 [::1]:631 [::]:* users:(("cupsd",pid=572,fd=6))
LISTEN 0 511 *:80 *:* users:(("apache2",pid=2728,fd=4),("apache2",pid=2727,fd=4),("apache2",pid=2725,fd=4))
Now we can see that systemd-resolve, cupsd, mysqld, and apache2 are the services that are utilizing the ports to listen for incoming connections.
Check for open ports with nmap
Nmap is a network reconnaissance tool that can be used to check for open ports on remote hosts. However, we can also use it to check our own Raspberry Pi to get a quick list of what ports are open.
Normally, we would specify a remote IP address for Nmap to scan. Instead, we can scan our own Raspberry Pi system by specifying localhost in the command.
$ sudo nmap localhost Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-01 18:33 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000013s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 631/tcp open ipp 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Check what ports are open in nft firewall
There’s a big caveat you should keep in mind. When using the ss or nmap localhost commands on our Raspberry Pi, we’re bypassing the firewall. Indeed, these commands show ports that are in a listening state, but that doesn’t necessarily mean that the ports are open to the internet, because our firewall may be denying connections.
Check on the status of nftables to see if it is currently running:
$ sudo systemctl status nftables.service
Then, check the currently configured nftables firewall rules:
$ sudo nft list ruleset
In case you need to add an exception for some ports – HTTP and MySQL in our case, we can use the following command syntax to add these exceptions to the nftables firewall and make sure the ports are accessible on our Raspberry Pi:
$ sudo nft add table inet filter
$ sudo nft add rule inet filter input tcp dport \{ http, mysql \} accept
Now our two ports are open in the firewall and in a listening state.
Closing Thoughts
In this tutorial, we saw how to check for open ports on a Raspberry Pi system. This included using the
ss command, as well as the nmap utility to check for listening ports. We also learned how to check the nftables firewall to see what ports are open, and add exceptions if necessary.
If a port is in a listening state and is allowed through the firewall, it should be open to incoming connections. But this is also dependent on your router or other network devices sitting between your Raspberry Pi and the internet, since they may have their own rules that block incoming connections.
