The Linux operating system as well as many of the Linux applications use ports to communicate with each other. A port can be viewed as a communication endpoint that is identified by a number called the port number. This port number along with the address of the machine is used by other applications to communicate with an application (or process) running on your machine.
Generally open ports are generally viewed as a potential risk to security threats, so you should ideally turn off any services that you do not need or are not using. This will reduce the vulnerability of your network considerably. Another good and recommended way is to also use a network router in front of your network.
There are several command line utilities that can be used to scan and identify the ports that are open on the machine and the processes that are using them. We will take a look at some of the popular options in this post.
nmap or Network Mapper is a command line utility that scans the machine to identify ports that are open. This utility can perform a scan on your local machine or any machine on your network. A typical nmap command that can be used is:
nmap -sV -O 127.0.0.1
nmap comes with a plethora of command line options that can be used to further optimize the scans and filter the outputs. The most popular and useful of them are:
-sS: TCP SYN scan. A very fast scanning technique that uses only half-open tcp connections.
-O: perform OS detection
-p: perform scan only on specified ports
-sV: determine service and version info on open ports
You can find more options in the man page or documentation.
netstat is another command line utility that can be used to find open ports on your machine. Unlike nmap, it can however only provide you with information on the local machine and not on any remote machines.
The commonly used options with netstat are
-n or –numeric: do not resolve names
-a or –all: display all sockets
-p or –program: display process id and process names for the sockets
-l or –listening: display listening server sockets
-t : only tcp connections
-u: only udp connections
You can further shrink this list by using egrep to display only particular processes or ports. You can also find the process id associated with the process that is responsible for the open port. This will allow you to shut down or kill the process in order to close the port.
lsof lists all the open files in the linux system. As almost everything including ports are considered as files in Linux, this will also lists all the open sockets or ports on the local machine.
lsof -i -U
-i: select and show only IPv addresses
-U: display only unix sockets
Without any options, the lsof command will list out all open file descriptors on the system which can be quite lengthy.
All of the above commands need to be executed as an user with superuser permissions or as root. Nmap can be considered the most powerful of the three because it is capable of scanning other machines on the network or the local machine, while the other two are more proficient in detecting ports on the local machine.
Using GUI Tools
In addition to the command line utilities mentioned above, there are several GUI based utilities that allow you to scan ports on the machine. Most of them are however based on the command line utilities that are mentioned above.
The popular ones that uses nmap are knetscan, zenmap and nmapsi.
Using 127.0.0.1 or localhost as the machine name will show you all the ports that are open from the local machine to the local machine. This doesn’t necessarily mean that these ports are also accessible from another machine or from the network. In order to find ports that are visible and accessible from the network (or the internet), use the actual external IP address of the machine with these commands. You might as well use a different machine to scan the ports, if possible.
In order to do that execute the following commands from a different machine on the network.
nmap -sV -O 192.168.1.132
nmap -sV -O 292.434.21.221
The IP addresses in the commands are just examples, and you will need to substitute them with the actual IP address of your machine.