Verification of listening ports in linux systems

Posted on by

The Internet has not been a safe place for a long time, it is worth seeing for whom we leave the door open and what it leads to. Ports are such an equivalent of doors in computer networks.

When we know what applications we use, we'll then know what to add to our own iptables firewall rules or UDP whitelist:

How to do it?

On most systems, the command is sufficient:

1
2
netstat -l
 

How to read it?

At first it seems like an Italian pasta dish, but it is enough to take a closer look that the result of this command is a mine of knowledge

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN    
tcp        0      0 *:40833                 *:*                     LISTEN    
tcp        0      0 localhost:27017         *:*                     LISTEN    
tcp        0      0 localhost:mysql         *:*                     LISTEN    
tcp        0      0 *:sunrpc                *:*                     LISTEN    
tcp        0      0 *:46834                 *:*                     LISTEN    
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN    
tcp6       0      0 [::]:43937              [::]:*                  LISTEN    
tcp6       0      0 [::]:57793              [::]:*                  LISTEN    
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN    
udp        0      0 localhost:608           *:*                                
udp        0      0 *:674                   *:*                                
udp        0      0 *:59774                 *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 *:sunrpc                *:*                                
udp        0      0 *:41251                 *:*                                
udp6       0      0 [::]:674                [::]:*                            
udp6       0      0 [::]:43086              [::]:*                            
udp6       0      0 [::]:40189              [::]:*                            
udp6       0      0 [::]:sunrpc             [::]:*                            
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     7424585  /tmp/mongodb-27017.sock
unix  2      [ ACC ]     STREAM     LISTENING     24344048 /run/user/1000/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     7467947  /run/user/1002/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     7459911  /run/user/1001/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     7951     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     7885     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     7931     /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     7952     /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     13305    /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     13303    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     13304    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     13306    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     13307    /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     13308    /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     14766    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     24019    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     42459    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     45141    /run/rpcbind.sock
 

After this result, we can conclude that this system is running MySQL and MongoDB.

You have MySQL:

1
2
tcp        0      0 localhost:mysql         *:*                     LISTEN    
 

MySQL uses the port by default 3306 and it is quite a known application for many years, so the application immediately tells us that it is the port used by MySQL instead of the port number

Do you have MongoDB:

1
2
tcp        0      0 localhost:27017         *:*                     LISTEN    
 

Mongo is less known and much younger, this is where the port is displayed to us 27017.

We can also use netstat -ln, then we will get a list of all ports without detecting what is what.

Both apps have localhost: in front of the port so they only listen locally, that is, they cannot be accessed from outside via the network. It is a safe solution because it is better not to give strangers access to our database, even if it is password-protected.
For example, if we allow access from outside, it may turn out in the future that there is a loophole that allows you to log in without a password and we will forget about the update and the problem is ready.

Here we can see an SSH server listening on a standard port:

1
2
tcp        0      0 *:ssh                   *:*                     LISTEN    
 

It is exposed outside, but SSH is a proven application and somehow we also have to get to the server, so do not worry too much as long as we have a long and randomly generated password or log in with a pair of keys (public and private).

We also have a curiosity at the bottom:

1
2
unix  2      [ ACC ]     STREAM     LISTENING     42459    /var/run/mysqld/mysqld.sock
 

It is a port, but not really. It is a socket (plug) which allows the application to connect not via a standard network address but via a file. Some applications support connecting through UNIX sockets, and here's an example of that. These files are not exposed to the world in any way, they are a good solution to connect services on one server with different users because you can change user permissions to this resource like any other file on the disk.

It does not work!

If we do not have such a command in the system as netstat, you need to install the package net-tools.
In the case of Debian and derivatives e.g.. Ubuntu just execute these commands to install it:

1
2
3
apt-get update
apt-get install net-tools
 

Sufficient for CentOS and other RHEL derivatives:

1
2
yum install net-tools
 

How useful this post was?

Click on the star, to evaluate it!

Average grade / 5. number of votes:

So far, no votes! Be the first to rate this post.

Related entries:

Installing the Webmin panel on Ubuntu 22.04
Installation of Spotify in the Debian and Ubuntu Systems
Recording Kazam Desktop in Ubuntu 22.04 and 20.04
The directory structure in Linux systems
Export Database Remote SSH