How to Locate Open Ports in Linux

What is a Port? 

First, let’s define what a port is. According to the IEFT, a port is: 

“A logical entity for Internet communication. Ports serve two main purposes:
1. They provide a demultiplexing identifier to separate transport sessions between the same pair of endpoints
2. They may also identify the application protocol and associated service to which processes connect.”

Wikipedia.com

In plain English, this simply means that a port is an endpoint through which data flows back and forth between two computers over a network. A computer has 65535 ports available to share information. These port numbers are based on a 16-bit number, which is where we derive the total number of available ports (0 to 65535).

These port numbers are assigned to specific services by IANA, which is responsible for maintaining the official port number designations. They designate port numbers based on three ranges: 

• System (or well known) Ports (0-1023) 
• User Ports (1024-49151) 
• Dynamic and Private Ports (49152-65535)

Common Ports and Associated Programs

As we can see, many of these ports are easily recognizable once the service is associated with the port number. 

• Port 20: FTP
• Port 21: FTP
• Port 22: SSH
• Port 23: Telnet
• Port 25: SMTP
• Port 26: Common Alternate SMTP port
• Port 37: cPanel's time servers (tcp out)
• Port 53: DNS/Named
• Port 80: HTTP
• Port 110: POP3
• Port 123: NTP
• Port 143: IMAP
• Port 443: HTTPS (SSL)
• Port 465: SMTPs (Secure SMTP)
• Port 993: IMAPs (Secure IMAP)
• Port 995: POP3s (Secure POP3)
• Port 1167: Guardian (buagent)
• Port 1433: Microsoft SQL Server
• Port 2073: cPanel Razor
• Port 2077: cPanel WebDAV
• Port 2078: cPanel WebDAV Secure port
• Port 2079: cPanel CalDAV and CardDAV
• Port 2080: cPanel CalDAV and CardDAV Secure port
• Port 2082: cPanel non-secure port
• Port 2083: cPanel secure port
• Port 2086: WHM non-secure port
• Port 2087: WHM secure port
• Port 2089: cp license
• Port 2095: cPanel webmail non-secure port
• Port 2096: cPanel webmail secure port
• Port 2443: Nodeworx/SiteWorx
• Port 3306: MySQL
• Port 3389: Remote Desktop Protocol (rdp)
• Port 4643: Virtuozzo Control Panel
• Port 6660-6669: IRC
• Port 8000: SHOUTcast
• Port 8080: Tomcat
• Port 8306: Plesk MySQL
• Port 8443: Plesk
• Port 49152:65534: Standard Passive FTP ports

TCP/UDP Protocol

The next step in the connection chain is the protocol used to connect to a service. A computer’s IP address is stored in a DNS record by an ISP (Internet Service Provider), contributing to the transfer of information.

When a computer requests to connect to another computer (or server), it uses the IP address listed in the DNS records to locate the other computer on the network. The service associated with the relevant port then uses one of these connection protocols to transmit the relevant information back to the requester. The open ports on the server listen for the unique communication requests on specific ports. The unique ports are associated with various software or services noted above. 

For instance, when you open a browser and type in https://liquidweb.com, the https request is routed through an ISP or other internet provider, which then does a DNS lookup for that domain. Once the location of the IP is found, your https request is then routed to a server owned by Liquid Web. When the request hits the server, the service that is listening on port 443, in this case, Port 443 HTTPS (SSL), recognizes the request for a secure connection to the server and returns the webpage stored on the server securely.

Another example would be if you attempt to connect to an FTP server here at Liquid Web. The software (FileZilla for example) reaches out to the server’s IP address on port 21, the port the FTP service listens on. The request arrives, and if the port is open, the connection is allowed through the firewall. The FTP server then responds to the connection request, and if the user authentication is successful, your computer is now connected to the server via FTP.  

Firewalls

After this, the firewall comes into play. The firewall monitors the traffic coming into and out of the server. The information stored in the firewall rules either allows or denies access based on the incoming TCP/UDP info and recognizes if the port is open or closed. Using the above FTP request as an example, if a firewall rule is set up to allow traffic to pass over port 21, the FTP request is forwarded to the FTP server where the connection is allowed. If port 21 is closed or blocked by a firewall rule, the request is denied and the connection will fail. 

Services

Finally, if the request is allowed through the firewall, the service that listens to the specifically designated port receives the request and responds in kind. Granted, this is an oversimplification of the chain of events, but it demonstrates the overall process of how a request is related to a unique port. An IP address may have multiple services listening on any one of the ports listed above. When we connect to a server, we are connecting to an IP address and a port.

Finding Local Open Ports

In Linux, there are multiple ways to see if the service is listening. Typically, we can use the software installed on the server to see if a port is open.

Nmap 

Nmap (Network Mapper) is an open-source network scanner used to discover services and hosts on a network. It sends packets of information to devices attached to the network and analyzes the responses. Nmap has many features for probing networks, including host discovery, service detection, and OS sensing. To install Nmap, we use the following commands.

root@host [~]# yum update -y
root@host [~]# yum install nmap -y
root@host [~]# nmap --version 

To discover open ports, we can run one of these commands.

root@host [~]# nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-14 14:24 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000080s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 987 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
9100/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds  root@host [~]# 

Another nmap command to use is as follows.

root@host [~]# nmap -sT -O localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-14 14:26 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00039s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 987 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
9100/tcp open  jetdirect
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.36 seconds
root@host [~]#

lsof

lsof is a linux command meaning list open files and is used in many Unix-like systems to report a list of all open files and the processes that opened them. If lsof is not installed, we use the following commands to install it.

root@host [~]# yum update -y
root@host [~]# yum install lsof
root@host [~]# lsof -v 

To check open ports, use this command.

root@host [~]# lsof -i -P | grep -i "listen" 

We can also use lsof as part of a larger, more complex command to sort and filter information returned from the command line. This command lists the total number of TCP/UDP connections.

root@host [~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP\|UDP'

Using this command, we can see all IPv4 ports using TCP connections.

root@host [~]# lsof -a -i4 -itcp

Or this command, which lists the process tied to an open port.

 root@host [~]# lsof -i :80 

netstat

netstat is a command-line utility that displays TCP network connections, routing tables, active network interfaces, and other network protocol statistics. To install netstat, run these commands.

root@host [~]# yum update -y
root@host [~]# yum net-tools -y
root@host [~]# netstat --version

These commands will provide the requested details when scanning for open port connections.

root@host [~]# netstat --listen
root@host [~]# netstat -tulpn | grep LISTEN
root@host [~]# netstat -plnt | awk '{print $1, $3, $7}'

ss

ss is the simpler and faster replacement for netstat. It is a command-line element used to return and display various network-related information.

This command lists a summary of network statistics.

root@host [~]# ss -s

Here, we see the UDP connections that are listening.

root@host [~]# ss -lu

This command shows TCP connections.

root@host [~]# ss -lt

Other ss commands using various flags and printing specific column output are below.

root@host [~]# ss -4 state listening | awk '{print $1, $4}'
root@host [~]# ss -tulwn | awk '{print $1, $5}'
root@host [~]# ss -stplu | awk '{print $1, $2, $5}'

Bash

Here is a command which uses multiple commands in bash to scan for open ports.

root@host [~]# HOST=127.0.0.1;for((port=1;port<=65535;++port)); do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null; then echo -en "\n\nport $port/tcp is open\n\n";fi;done | grep open

port 21/tcp is open
port 25/tcp is open
port 53/tcp is open
port 80/tcp is open
port 110/tcp is open
port 111/tcp is open
port 143/tcp is open
port 443/tcp is open
port 465/tcp is open
port 587/tcp is open
port 878/tcp is open
port 953/tcp is open
port 993/tcp is open
port 995/tcp is open
port 2077/tcp is open
port 2078/tcp is open
port 2079/tcp is open
port 2080/tcp is open
port 2082/tcp is open
port 2083/tcp is open
port 2086/tcp is open
port 2087/tcp is open
port 2095/tcp is open
port 2096/tcp is open
port 3306/tcp is open
port 6379/tcp is open
port 9100/tcp is open
port 9104/tcp is open
port 9115/tcp is open
port 9117/tcp is open
port 9253/tcp is open
port 11211/tcp is open
port 25566/tcp is open
port 46648/tcp is open

Use CTRL +c to end this command.

Finding Remote Open Ports

nc or netcat

Netcat (or nc) is a command-line network utility that uses TCP to read and write data across network connections. The following commands will provide details about open ports on an external server.

root@host [~]# nc -vz [host] [port ranges] 2>&1 | grep succeeded
root@host [~]# netcat -zv [host] [port ranges] 2>&1 | grep succeeded

telnet

Telnet is an application protocol and command to provide text-based communication using a virtual terminal (VT) connection. 

root@host [~]# yum install telnet telnet-server -y
root@host [~]# telnet 192.168.0.1 22

Because Linux treats everything like a file, we can use this to locate a port’s status and availability. 

root@host [~]# echo > /dev/tcp/[host]/[port] && echo "The port is open!"
root@host [~]# echo > /dev/udp/[host]/[port] && echo "The port is open!"

root@host [~]# cat /etc/services | grep port#

Bash

root@host [~]# </dev/tcp/127.0.0.1/80) &>/dev/null && echo "OPEN" || echo "CLOSED"

root@host [~]# for i in {1..65535}; do (echo < /dev/tcp/127.0.0.1/$i) &>/dev/null && printf "\n[+] Open Port at\n: \t%d\n" "$i" || printf "."; done

root@host [~]# ip=192.168.1.254;for i in {1..65535}; do (echo < /dev/tcp/$ip/$i) &>/dev/null && printf "\n[+] Open TCP Port at: \t%d\n" "$i"; done

root@host [~]# declare -a array=($(tail -n +2 /proc/net/tcp | cut -d":" -f"3"|cut -d" " -f"1")) && for port in ${array[@]}; do echo $((0x$port)); done

root@host [~]# for p in {1..1023}; do(echo >/dev/tcp/localhost/$p) >/dev/null 2>&1 && echo "$p open"; done

We can also use a Python socket module or one of the curl, telnet, or wget commands.

etc/services

The /etc/services file is utilized by server software to render service names to associated port numbers. Typically, the file includes the service name, the port and protocol used, aliases, and any related comments.

root@host [~]# cat /etc/services | grep tcp
root@host [~]# cat /etc/services | grep udp

Locate the Port a Service is Running On

To locate the port a service is running on, use the following instructions. To identify the PID (or process ID number), we first use the ps command.

root@host [~]# ps aux | grep <PROCESS NAME>

root@host [~]# ps aux | grep ssh
root      47875  0.0  0.0 112808   964 pts/0    S+   16:28   0:00 grep --color=auto ssh
root     101650  0.0  0.0 111448  2404 ?        Ss    2020   1:42 /usr/sbin/sshd -D

Once we have the PID, run the following netstat command.

root@host [~]# netstat -plnt | grep <PID>

root@host [~]# netstat -plnt | grep 101650
tcp        0      0 0.0.0.0:22           0.0.0.0:*               LISTEN      101650/sshd
tcp6       0      0 :::22                :::*                    LISTEN      101650/sshd
root@host [~]# 

This will give us the port(s) that the process is listening on. In this case, we can see that the ssh PID (101650) is listening on port 22.

Which Process is Listening on a Port?

Moving in the reverse direction, we can identify which process is listening on a port. 

root@host [~]# lsof -i -P -n | grep LISTEN | grep ftp
pure-ftpd 101353         root    4u  IPv4 12372180      0t0  TCP *:21 (LISTEN)
pure-ftpd 101353         root    5u  IPv6 12372181      0t0  TCP *:21 (LISTEN)
root@host [~]#

===============

root@host [~]# netstat -tulpn |grep ftp
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      101353/pure-ftpd (S
tcp6       0      0 :::21                   :::*                    LISTEN      101353/pure-ftpd (S
root@host [~]#

===============

root@host [~]# ss -tulpn | grep ftp
tcp    LISTEN     0      9         *:21                    *:*                   users:(("pure-ftpd",pid=101353,fd=4))
tcp    LISTEN     0      9      [::]:21                 [::]:*                   users:(("pure-ftpd",pid=101353,fd=5))
root@host [~]#

Conclusion

This tutorial explored what a port is, how they work, and other factors involved. We reviewed a list of common ports and their associated services. We also covered what other factors are involved in this communication process, including the TCP and UDP protocols, server software and services, and the firewall rules that allow or disallow traffic through those ports. Furthermore, we analyzed multiple commands used to gather information about the status of the ports and various ways for locating the open ports on a server, including several non-standard methods. In summary, open ports are how services on a computer communicate with another server over a network. Without this vital function, all computer programs we know and use today, including the internet itself, would not exist. 

We pride ourselves on being The Most Helpful Humans In Hosting™!

Have questions?  Our experienced system administrators and will explain how you can take advantage of this information today! If you are on a Fully Managed VPS server, Cloud Dedicated, Private Parent server, or a Dedicated server owner and need assistance, give us a call at 800.580.4985, or open a chat or ticket with us to find out more!