How to Check Open Ports in Linux Using netstat, ss, and lsof

Open ports act as communication endpoints between your Linux system and the outside world. Every service running on a server whether it’s SSH, a web server, or a database; listens on a specific port. While these ports are necessary for operations, leaving unnecessary ports open can expose your system to security risks. For developers, system administrators, and cybersecurity professionals, knowing how to check open ports in Linux is an essential skill.

Regularly auditing open ports helps identify unauthorized services, troubleshoot network issues, verify firewall configurations, and reduce your attack surface. Let’s explore how to check open ports using three powerful Linux commands.

1. Using netstat to Check Open Ports

The netstat command (Network Statistics) is a traditional tool used to display network connections and listening ports.

Run the following command:

netstat -tuln

The flags used here have specific meanings. The -t option shows TCP ports, -u displays UDP ports, -l lists listening ports, and -n ensures addresses and ports are shown numerically instead of resolving hostnames.

This command provides a list of active listening ports along with their associated IP addresses. If you want to see which process is using each port, run:

sudo netstat -tulnp

The -p flag displays the process ID (PID) and the program name responsible for opening the port. Keep in mind that on many modern Linux distributions, netstat is considered deprecated and replaced by the ss command.

2. Using ss (Socket Statistics)

The ss command is a modern replacement for netstat. It is faster and more efficient, especially on systems with a large number of active connections.

To check listening ports, use:

ss -tuln

The output is similar to netstat but generated more efficiently. To display process information along with ports, run:

sudo ss -tulnp

If you need to verify whether a specific service is listening on a port, you can filter the output. For example, to check if SSH is running on port 22:

ss -tuln | grep :22

This command quickly confirms whether the port is active and listening.

3. Using lsof to Identify Processes by Port

The lsof command (List Open Files) is particularly useful when you need detailed information about which process is using a specific port.

To list all open network connections, run:

sudo lsof -i -P -n

The -i option lists network files, -P prevents port number conversion to service names, and -n avoids hostname resolution for faster results.

If you want to check a specific port, such as port 80:

sudo lsof -i :80

This is especially helpful when a service fails to start because a port is already in use. After identifying the PID, you can terminate the process if necessary:

sudo kill -9 <PID>

Use caution when killing processes, particularly on production systems.

Conclusion

Monitoring open ports in Linux is a crucial practice for maintaining system security and stability. The netstat command provides traditional visibility into network connections, ss offers a faster and modern alternative, and lsof gives detailed process-level insights. By routinely checking open ports, you can detect unnecessary services, troubleshoot network problems, and significantly reduce security risks. In Linux administration and cybersecurity, awareness of active ports is a foundational step toward building a secure and well-managed system.