Read in 5 minutes

last updated 

How to Check (Scan) for Open Ports in Linux

Whether you are troubleshooting network connectivity issues or configuring a firewall one of the first things to check is what ports are actually opened on your system.

This article describes several approaches to find out what ports are opened to the outside on your Linux system.

What is Open Port

A listening port is a network port that an application listens on. You can get a list of the listening ports on your system by querying the network stack with commands such as ss, netstat or lsof. Each listening port can be open or closed (filtered) using a firewall.

In general terms, an open port is a network port that accepts incoming packets from remote locations.

For example, if you are running a web server that listens on ports 80 and 443 and those ports are open on your firewall anyone (except blocked ips) will be able to access web sites hosted on your web server using his browser. In this case, both 80 and 443 are open ports.

Open ports may pose a security risk as each open port can be used by attackers to exploit a vulnerability or perform any other type of attacks. You should expose only the ports needed for functionality of your application and close all other ports.

Check Open Ports with nmap

Nmap is a powerful network scanning tool that can scan single hosts and large networks. It is mainly used for security audits and penetration testing.

If available, nmap should be your first tool when it comes to port scanning. Besides port scanning nmap can also detect Mac address, OS type, kernel versions, and much more.

The following command issued from the console determines which ports are listening for TCP connections from the network:

sudo nmap -sT -p- 10.10.8.8

The -sT tells nmap to scan for TCP ports and -p- to scan for all 65535 ports. If -p- is not used nmap will scan only 1000 ports.

Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-09 23:10 CEST
Nmap scan report for 10.10.8.8
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:05:49:23 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

The output above shows that only ports 22, 80 and 8069 are opened on the target system.

To scan for UDP ports use -sU instead of -sT:

sudo nmap -sU -p- 10.10.8.8

For more information visit the nmap man page and read about all other powerful options of this tool.

Check Open Ports with netcat

Netcat (or nc) is a command-line tool that can read and write data across network connections, using the TCP or UDP protocols.

With netcat you can scan a single port or a port range.

For example to scan for open TCP ports on a remote machine with IP address 10.10.8.8 in the range 20-80 you would use the following command:

nc -z -v 10.10.8.8 20-80

The -z option tells nc to scan only for open ports, without sending any data and the -v is for more verbose information.

The output will look something like this:

nc: connect to 10.10.8.8 port 20 (tcp) failed: Connection refused
nc: connect to 10.10.8.8 port 21 (tcp) failed: Connection refused
Connection to 10.10.8.8 22 port [tcp/ssh] succeeded!
...
Connection to 10.10.8.8 80 port [tcp/http] succeeded!

If you want only the lines with the open ports to be printed on the screen you can filter the results with the grep command.

nc -z -v 10.10.8.8 20-80 2>&1 | grep succeeded
Connection to 10.10.8.8 22 port [tcp/ssh] succeeded!
Connection to 10.10.8.8 80 port [tcp/http] succeeded!

To scan for UDP ports pass the -u option to the nc command:

nc -z -v -u 10.10.8.8 20-80 2>&1 | grep succeeded

Check Open Ports using Bash Pseudo Device

Another way to check whether a certain port is open or closed is by using the Bash shell /dev/tcp/.. or /dev/udp/.. pseudo device.

When executing a command on a /dev/$PROTOCOL/$HOST/$IP pseudo-device, Bash will open a TCP or UDP connection to the specified host on the specified port.

The following if..else statement will check whether port 443 on kernel.org is open:

if timeout 5 bash -c '</dev/tcp/kernel.org/443 &>/dev/null'
then
  echo "Port is open"
else
  echo "Port is closed"
fi
Port is open

How does the code above works?

The default timeout when connecting to a port using a pseudo device is huge so we are using the timeout command to kill the test command after 5 seconds. If the connection is established to kernel.org port 443 the test command will return true.

You can also use the for loop to check for a port range:

for PORT in {20..80}; do
  timeout 1 bash -c "</dev/tcp/10.10.8.8/$PORT &>/dev/null" &&  echo "port $PORT is open"
done

The output will look something like this:

port 22 is open
port 80 is open

Conclusion

We have shown you several tools that you can use to scan for open ports. There are also other utilities and methods to check for open ports, for example, you can use the Python socket module, curl, telnet or wget.

If you have any question or remark, please leave a comment below.