The Ports on a Linux OS are used for exchange and transfer of data on the network connected devices.
A Very high number of security exploitation happen due to no surveillance of in bound connections targeting specific ports. It is most essential to identify the underlying Linux process opening up specific ports for listening over a shared network.
Thus, It is important to identify which ports are open on your Linux machine.
Firstly for basic administration tasks, identifying the port and its correlating application, so that you are well aware of the Open sockets and Enhance the network security by preventing the network intrusion by writing the firewall rules.
In this tutorial we will look at some of the most popular Linux network tools and see how to gather information, and identify the web server like process Apache Httpd or Nginx running so that you don’t conflict when you are configuring them and troubleshooting.
We will discuss some of the popular tools and their general commands syntax.
Netstat
Command and its Syntax
netstat
Netstat gives you multiple features and a must know tool if you are in your day to day activities.
It gives out the information about the Open ports in you Linux machine along with the Established connection, TimeWait and Closed state connections.
The netstat command goes by netstat -ntlp
ss
It stands for Socket Statistics, It is a command line utility which provides the information about Open ports, the corresponding process ID which opened the port.
ss command is the successor to netstat command in Linux and has the similar options as its predecessor, In Fact it necessarily is a better enhancement over the old netstat command,
First up lets run ss -tua
, which lists all the TCP and UDP Sockets.
[vamshi@linuxcent ~]$ ss -tua Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 127.0.0.1:domain *:* udp UNCONN 0 0 127.0.0.2:domain *:* udp UNCONN 0 0 *:bootpc *:* udp UNCONN 0 0 *:sunrpc *:* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 *:lanserver *:* udp UNCONN 0 0 [::]:sunrpc [::]:* udp UNCONN 0 0 [::1]:323 [::]:* udp UNCONN 0 0 [::]:lanserver [::]:* tcp LISTEN 0 100 127.0.0.1:smtp *:* tcp LISTEN 0 128 *:sunrpc *:* tcp LISTEN 0 128 *:ssh *:* tcp ESTAB 0 0 10.100.0.20:ssh 10.100.0.1:45662 tcp LISTEN 0 100 [::1]:smtp [::]:* tcp LISTEN 0 70 [::]:33060 [::]:* tcp LISTEN 0 128 [::]:mysql [::]:* tcp LISTEN 0 128 [::]:sunrpc [::]:* tcp LISTEN 0 128 [::]:http [::]:* tcp LISTEN 0 128 [::]:ssh [::]:*
How to get the Established connection information using ss command in linux
$ ss -tua state established
[vamshi@node02 ~]$ ss -l sport = 80
The detailed options ss offers are as follows:
-a
: Displays all Sockets:
-i
: Displays internal TCP information
-t
: Displays only TCP Sockets
-l
: Displays Only Listening Sockets
-u
: Displays only UDP Sockets
-r
: Resolves host names
-n
: Doesn’t Resolve the Hostnames
-p
: Display process information using the Socket
ss command takes the following state option filters
established syn-sent |syn-recv |fin-wait-{1,2} |time-wait |closed |close-wait |last-ack |listen |closing
nmap
It is one of the most popular open source tools to explore networks and mainly used for security auditing.
NMAP is used extensively for Host Discovery , Port and Protocol Scanning such as ICMP, TCP and UDP Port Scanning.
The service and its version Detection, Operating system Detection.
It is one of the Intrusion prevention tool when used effectively and used for greater security Reporting.
run the command sudo nmap localhost
$ sudo nmap 10.100.0.0/24
$ vamshi@linuxcent: ~ $ nmap 10.100.0.20 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-10 13:45 GMT Nmap scan report for 10.100.0.20 Host is up (0.00014s latency). Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql 8009/tcp open ajp13 MAC Address: 08:00:27:5A:26:BD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds
It lists all the ports that are Open and even lists up the MAC Address of the Target Host.
How to scan a list of hosts from a file using nmap command
You can do it and run the command as demonstrated below:
$ nmap -iL /etc/hosts # where you have a list of ip/dns names
To increase the verbosity of nmap output use -v<n>
where n is a number ranging from 0 – 9
This offer a lot of options to gather information passively and lets see some options listed below:
-sn
: Lists and does Ping Scan on the network; Least aggressive
-sL
: Lists hosts to scan on the network
-O
: Enables Target Host OS detection.
-sS
: Does the syn Scan, in stealth mode.
-sT
: Performs TCP port Scan
-sU
: Performs UDP port Scan.
-p
: Scans only for Target Port Listed Eg: # sudo nmap -v -sS -p80 10.100.0.0/24
-PA
: TCP Ack Flag is set
-sV
: Extracts the Service Version information and the Operating System information from Target Hosts.
lsof
lsof linux command gives the information on the list of open files on the system as the abbreviation says. It’s one of the valuable tools when troubleshooting under fire, Gives you the practical linux system behaviour
Start it by running lsof
command, will print a bunch of information including the all the programs currently started and owned by you, It includes the block/filesystem files, network stream data/character files, virtual memory paging and temporary data files.
Listing the openfiles using lsof
Now run lsof -u <Your login username>
$ lsof -u vamshi
# Prints a bunch of information about the open files for a particular user.
Now lsof
has a lot of options to extract relevant information
To list the total number of open files on the system
$ sudo lsof | wc -l
$ sudo lsof -i TCP :22 $ sudo sudo lsof -P -i:22
vamshi@linuxcent:~$ sudo lsof -i -P :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 380 root 3u IPv4 13672 0t0 TCP *:22 (LISTEN) sshd 380 root 4u IPv6 13683 0t0 TCP *:22 (LISTEN) sshd 1295 root 3u IPv4 20367 0t0 TCP 10.100.0.30:22->10.100.0.1:39054 (ESTABLISHED) sshd 1307 vamshi 3u IPv4 20367 0t0 TCP 10.100.0.30:22->10.100.0.1:39054 (ESTABLISHED)
Lists the information of open and Established connections of the given port
lsof offer a lot of options and filters, lets list some of the most commonly used ones below:
-u
: takes the username as filter option, Lists openfiles caused by the given username
-i
: Lists the open files belonging to the Service port numbers
-P
: Inhibits the translation of service names based on port number and prints the port number for simplicity purpose.