Checking Open and Listening Ports in Linux Using Netstat and SS

Monitoring open and listening ports on a Linux system is one of the most fundamental practices for maintaining server security, diagnosing network issues, and managing your infrastructure effectively. Whether you are running a production web server, a VPS Hosting environment, or a Dedicated Server, understanding exactly which ports are open — and which services are bound to them — gives you the visibility needed to prevent unauthorized access, detect misconfigurations, and eliminate unnecessary attack surfaces.

In this comprehensive guide, we will walk through how to use the netstat and ss commands to check open and listening ports on any Linux system, compare their strengths, and introduce additional tools such as lsof and nmap for deeper network analysis.

Why Monitoring Open Ports Matters

Every open port on your server represents a potential entry point. Services that are misconfigured, outdated, or simply forgotten can expose your system to exploitation. Regularly auditing your listening ports allows you to:

• Identify unauthorized services running on unexpected ports
• Detect intrusion attempts or compromised processes
• Verify firewall rules are working as intended
• Confirm that newly deployed applications are binding to the correct interfaces
• Close unused ports to reduce your attack surface

This is especially critical for administrators managing Shared Web Hosting environments or multi-tenant servers where multiple services run simultaneously.

Understanding Ports and Their Types

Before diving into the tools, it is important to understand the terminology you will encounter in command output.

Checking Ports with netstat

What Is netstat?

netstat (network statistics) is a classic command-line utility that provides detailed information about network connections, routing tables, interface statistics, and listening ports. Although it has been officially deprecated in favor of ss on modern distributions, it remains widely used and is still found on many legacy systems.

Installing netstat

The netstat command is part of the net-tools package, which may not be installed by default on modern Linux distributions.

Debian / Ubuntu:

sudo apt install net-tools

CentOS / RHEL / AlmaLinux / Rocky Linux:

sudo yum install net-tools

Using netstat to Check Open and Listening Ports

To display all listening TCP and UDP ports on your system, run the following command:

sudo netstat -tuln

Flag breakdown:

Sample Output

Proto  Recv-Q  Send-Q  Local Address     Foreign Address   State
tcp         0       0  0.0.0.0:22        0.0.0.0:*         LISTEN
tcp         0       0  0.0.0.0:80        0.0.0.0:*         LISTEN
tcp6        0       0  :::443            :::*              LISTEN
udp         0       0  0.0.0.0:53        0.0.0.0:*

Understanding the Output Columns

• Local Address — The IP address and port number where the service is listening. 0.0.0.0 means the service is listening on all available interfaces.
• Foreign Address — The remote IP and port for active connections. An asterisk (*) means no connection is established yet.
• State — The connection state. LISTEN indicates the port is open and waiting for incoming connections.

Filtering Specific Ports with netstat

You can pipe the output through grep to isolate a specific port or service. For example, to check whether anything is listening on port 80 (HTTP):

sudo netstat -tuln | grep ":80"

To check port 443 (HTTPS), which is essential for servers with SSL Certificates installed:

sudo netstat -tuln | grep ":443"

To also display the process name and PID responsible for each connection, add the -p flag:

sudo netstat -tulnp

Checking Ports with ss

What Is ss?

ss (socket statistics) is the modern replacement for netstat. It is faster, more efficient, and provides richer output — particularly on systems with a high number of concurrent connections. The ss command is included by default on virtually all modern Linux distributions and requires no additional installation.

Using ss to Check Open and Listening Ports

The syntax of ss closely mirrors that of netstat, making the transition straightforward:

ss -tuln

Flag breakdown:

Sample Output

Netid  State   Recv-Q  Send-Q  Local Address:Port   Peer Address:Port
tcp    LISTEN  0       128     0.0.0.0:22            0.0.0.0:*
tcp    LISTEN  0       511     0.0.0.0:80            0.0.0.0:*
tcp    LISTEN  0       511        [::]:443             [::]:*
udp    UNCONN  0       0       0.0.0.0:53            0.0.0.0:*

Advanced Usage of ss

The ss command offers a range of advanced filtering and display options that go well beyond what netstat can provide.

Show Only Listening TCP Ports

ss -tl

Show Only Listening UDP Ports

ss -ul

Display Process Names and PIDs

To identify exactly which process is using a specific port, use the -p flag:

ss -tulnp

This is one of the most useful commands for troubleshooting — it shows the process name and PID alongside each listening socket, making it immediately clear which application owns which port.

Sample Output with -p Flag

Netid  State   Local Address:Port   Process
tcp    LISTEN  0.0.0.0:80           users:(("nginx",pid=1234,fd=6))
tcp    LISTEN  0.0.0.0:22           users:(("sshd",pid=987,fd=3))
tcp    LISTEN  0.0.0.0:3306         users:(("mysqld",pid=2345,fd=21))

Filter by a Specific Port

To check which process is listening on port 8080:

ss -tulnp | grep ":8080"

Show All Established TCP Connections

ss -tn state established

Show Summary Statistics

ss -s

This provides a quick summary of total sockets by type and state — useful for spotting unusual connection volumes.

netstat vs. ss: A Direct Comparison

When to Use netstat

• On older Linux systems where ss is not available
• When working with scripts or documentation written around netstat syntax
• For quick checks on systems where net-tools is already installed

When to Use ss

• On any modern Linux distribution (Ubuntu 20.04+, CentOS 8+, Debian 10+, etc.)
• When you need faster output on high-traffic servers
• For advanced filtering and detailed socket analysis

Additional Tools for Port Auditing

Beyond netstat and ss, several other utilities are valuable for a thorough port audit.

Using lsof

lsof (list open files) treats network sockets as files, making it another powerful way to identify which process is using a given port.

To check which process is bound to port 80:

sudo lsof -i :80

To check all listening ports:

sudo lsof -i -P -n | grep LISTEN

Sample output:

COMMAND   PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
nginx    1234     root   6u  IPv4   23456      0t0  TCP *:80 (LISTEN)
sshd      987     root   3u  IPv4   12345      0t0  TCP *:22 (LISTEN)

Using nmap

nmap is a powerful network scanning tool that can detect open ports both locally and on remote hosts. It is particularly useful for verifying your firewall configuration from an external perspective.

Install nmap if it is not already present:

sudo apt install nmap       # Debian/Ubuntu
sudo yum install nmap       # CentOS/RHEL

Scan all TCP ports on the local machine:

sudo nmap -sT localhost

Scan for open ports on a specific IP address:

sudo nmap -sV 192.168.1.100

The -sV flag also attempts to detect the version of the service running on each open port, which is invaluable for identifying outdated or vulnerable software.

> Security Note: Only run nmap scans against systems you own or have explicit permission to scan.

Practical Security Workflow: Auditing Your Server Ports

Here is a recommended step-by-step workflow for auditing open ports on a Linux server:

1. List all listening ports with process information:

   ss -tulnp

1. Cross-reference each port against expected services. If you see an unknown process on an unexpected port, investigate immediately.

1. Check for services listening on all interfaces (0.0.0.0) that should only be accessible locally. For example, a database server (port 3306) should typically bind to 127.0.0.1, not 0.0.0.0.

1. Verify your firewall rules with iptables -L -n or ufw status verbose to ensure only intended ports are exposed externally.

1. Use nmap from an external host to confirm which ports are actually reachable from the internet, as firewall rules may differ from what ss reports locally.

1. Close or restrict any ports that are not required using your firewall or by stopping the associated service.

Quick Reference: Most Useful Commands

# List all listening TCP and UDP ports (modern, recommended)
ss -tuln

# List listening ports with process names and PIDs
ss -tulnp

# List all listening ports using netstat (legacy)
sudo netstat -tulnp

# Check which process is using port 443
ss -tulnp | grep ":443"

# Check open ports with lsof
sudo lsof -i -P -n | grep LISTEN

# Scan local machine for open ports with nmap
sudo nmap -sT localhost

Conclusion

Regularly auditing open and listening ports is a non-negotiable part of Linux server administration. Tools like netstat and ss give you immediate, detailed visibility into which services are running, which ports they occupy, and whether anything unexpected is present on your system.

For modern Linux environments, ss is the clear choice — it is faster, more capable, and available by default. However, netstat remains a reliable fallback for legacy systems or administrators already comfortable with its syntax. Supplementing these tools with lsof and nmap provides a complete picture of your server's network exposure.

Whether you are hardening a fresh VPS Hosting deployment, managing a fleet of Dedicated Servers, or securing an Email Hosting environment, mastering port auditing is an essential skill that directly contributes to the security and reliability of your infrastructure.