How to Check Open Ports on Debian: 5 Command Line Methods for Network Monitoring


3 views

When administering a Debian server, monitoring open ports is crucial for both security and troubleshooting. Here are the most effective commands:


# Modern replacement for netstat
ss -tulnp | grep LISTEN

# Traditional netstat approach (requires net-tools)
netstat -tulnp | grep LISTEN

# Deep socket inspection
lsof -i -P -n | grep LISTEN

# Nmap localhost scan (requires nmap)
nmap -sT -O localhost

# Using the newer iproute2 tools
ip -brief -all address list

Let's break down a typical output from ss -tulnp:


tcp    LISTEN   0      128     0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=1234,fd=3))
tcp    LISTEN   0      128    127.0.0.1:5432     0.0.0.0:*     users:(("postgres",pid=5678,fd=10))

This shows SSH (port 22) listening on all interfaces and PostgreSQL (port 5432) on localhost only.

Checking for specific services:


# Check if Apache/Nginx is running
ss -tulnp | grep -E '(apache2|nginx)'

# Verify MySQL/MariaDB port
ss -tulnp | grep '3306'

Filtering IPv4 vs IPv6:


# IPv4 only
ss -4 -tuln

# IPv6 only
ss -6 -tuln

For continuous monitoring, consider these approaches:


# Watch ports in real-time
watch -n 2 "ss -tulnp"

# Log changes over time
while true; do date; ss -tulnp; sleep 60; done >> port_monitor.log

# Check for unexpected open ports
diff <(ss -tulnp | sort) <(cat baseline_ports.txt | sort)

Always:

  • Compare against your known service requirements
  • Investigate any unknown listening ports
  • Consider using firewall rules (ufw/iptables) to restrict access
  • Regularly audit your open ports

As a Debian system administrator or developer, knowing which ports are open on your server is crucial for security and network troubleshooting. While netstat can provide some information, there are more precise tools available in modern Debian systems.

The ss command is the modern replacement for netstat and provides more detailed information:

sudo ss -tulnp

This command shows:

  • -t: TCP connections
  • -u: UDP connections
  • -l: Listening ports
  • -n: Numeric addresses
  • -p: Process information

If you prefer using netstat, this command provides similar output:

sudo netstat -tulnp

To check if a specific port is open (e.g., port 80):

sudo ss -tulnp | grep ':80'

Another powerful tool is lsof which can show which processes are using which ports:

sudo lsof -i -P -n | grep LISTEN

Remember that open ports shown by these commands might still be blocked by your firewall. To check firewall rules:

sudo iptables -L -n -v

For regular monitoring, you could create a simple script:

#!/bin/bash
DATE=$(date +"%Y-%m-%d %H:%M:%S")
echo "Port check at $DATE" >> /var/log/port_check.log
sudo ss -tulnp >> /var/log/port_check.log

Always investigate unexpected open ports. For example, if you find an unknown service listening on port 31337 (a common backdoor port), you should immediately investigate:

sudo ss -tulnp | grep '31337'
sudo lsof -i :31337