335

How can I check if a port is listening on a Linux server?

Improve this question
5
  • 2
    It's not quite clear what you're asking. What do you mean by "open"? Do you mean some server is listening on that port? Or do you mean it's allowed by the system firewall? Or what? Commented Sep 7, 2011 at 17:47
  • 1
    I think a port is being blocked on my server and want to unblock/open it again. Commented Sep 7, 2011 at 17:49
  • 19
    netstat -an | grep PORTNUMBER | grep -i listen If the output is empty, the port is not in use. Commented Sep 28, 2013 at 13:12
  • 4
    nc -w5 -z -v <ip_address> <port_number>, you should get something like Connection to 127.0.0.1 9000 port [tcp/*] succeeded!, otherwise port is closed. Commented Feb 7, 2020 at 12:49
  • A topic that contains an answer also for kernel level services and programs serverfault.com/questions/1078483/… Commented Oct 5, 2021 at 18:30

9 Answers 9

Reset to default
274

You can check if a process listens on a TCP or UDP port with ss -tuplen (replacement of netstat).

To check whether some ports are accessible from the outside (this is probably what you want) you can use a port scanner like Nmap from another system. Running Nmap on the same host you want to check is quite useless for your purpose.

Improve this answer
11
  • 65
    GNU netstat knows the parameters -t, -u, -p, -l, -e, and -n. Thanks to the options parser it can be expressed as -tuplen. linux.die.net/man/8/netstat Commented Apr 26, 2013 at 9:53
  • 4
    Also, the telnet command usually does only supports TCP, so you're out of luck if the service you want to check runs on another protocol. Commented Apr 26, 2013 at 9:55
  • 3
    nc is (better) alternative to telnet. It supports UDP too. Commented Jul 10, 2013 at 8:42
  • 2
    When I go to the netstat man page it says netstat is obsolete. Commented May 16, 2018 at 12:41
  • 6
    According to article: computingforgeeks.com/netstat-vs-ss-usage-guide-linux netstat is deprecated, and ss is it's replacement, so you can do ss -an, ss -tuplen or for tcp listening sockets ss -ntlp. Commented Feb 7, 2020 at 10:17
153

Quickest way to test if a TCP port is open (including any hardware firewalls you may have), is to type, from a remote computer (e.g. your desktop):

telnet myserver.com 80

Which will try to open a connection to port 80 on that server. If you get a time out or deny, the port is not open :)

Improve this answer
9
  • 8
    "yum install telnet" to install the telnet client package. Commented Sep 7, 2011 at 17:41
  • 2
    Says: telnet: connect to address 82.165.148.224: Connection refused Commented Sep 7, 2011 at 17:42
  • 9
    Written above: if you get a time out or deny, the port is not open Commented Sep 7, 2011 at 18:09
  • 2
    What if you don't have perms to install telnet? Is there another standard tool? Commented Jan 14, 2014 at 23:40
  • 9
    I tried “telnet myhost 22” and get a timeout. But I can ssh into that machine. ?! Commented Sep 6, 2018 at 10:59
46

OK, in summary, you have a server that you can log into. You want to see if something is listening on some port. As root, run:

netstat -nlp

this will show a listing of processes listening on TCP and UDP ports. You can scan (or grep) it for the process you're interest in,and/or the port numbers you expect to see.

If the process you expect isn't there, you should start up that process and check netstat again. If the process is there, but it's listening on a interface and port that you did not expect, then there's a configuration issue (e.g., it could be listening, but only on the loopback interface, so you would see 127.0.0.1:3306 and no other lines for port 3306, in the case of the default configuration for MySQL).

If the process is up, and it's listening on the port you expect, you can try running a "telnet" to that port from your Macbook in your office/home, e.g., 

 telnet xxxxxxxxxxxx.co.uk 443

That will test if (assuming standard ports) that there's a web server configured for SSL. Note that this test using telnet is only going to work if the process is listening on a TCP port. If it's a UDP port, you may as well try with whatever client you were going to use to connect to it. (I see that you used port 224. This is masqdialer, and I have no idea what that is).

If the service is there, but you can't get to it externally, then there's a firewall blocking you. In that case, run:

 iptables -L -n

This will show all the firewall rules as defined on your system. You can post that, but, generally, if you're not allowing everything on the INPUT chain, you probably will need to explicitly allow traffic on the port in question:

 iptables -I INPUT -p tcp --dport 224 -j ACCEPT

or something along those lines. Do not run your firewall commands blindly based on what some stranger has told you on the Internet. Consider what you're doing.

If your firewall on the box is allowing the traffic you want, then your hosting company may be running a firewall (e.g., they're only allowing SSH (22/tcp), HTTP (80/tcp) and HTTPS (443/tcp) and denying all other incoming traffic). In this case, you will need to open a helpdesk ticket with them to resolve this issue, though I suppose there might be something in your cPanel that may allow it.

Improve this answer
3
  • Could you pls add how to undo the iptables -I command? Thanks!! Commented Sep 9, 2013 at 22:52
  • 1
    "iptables -D" followed by whatever else you had after the "-I" in the original command. Basically, look up the documentation. Commented Sep 10, 2013 at 11:45
  • 1
    I'd highly recommend using ufw (just apt install ufw then see man ufw) it's a more user-friendly frontend for iptables. Commented Jun 10, 2020 at 10:40
27

I use the combo of netstat and lsof:

netstat -an | grep <portnumber> lsof -i:<portnumber>

To see if the port is being used, and what is using it.

Improve this answer
3
  • nothing prompts with or without sudo Commented Nov 22, 2017 at 6:25
  • 2
    @DheerajThedijje - then that port isn't open Commented May 25, 2018 at 14:47
  • 1
    Yes it was not, got it. Commented Jun 6, 2018 at 7:29
14

If you need to script such a test, the solution by Serhii Popov (see comment to question) is probably the best since nc is capable of searching the TCP stack for an open port³ instead of attempting an actual connection.

The simplest form is:

nc -z <ip> <port>

The command returns true if it find the specified <ip>:<port> combo as being opened (i.e. one of your services is listening).

So now you can write a script to wait until the port is open:

while ! nc -z <ip> <port> do sleep 1 done

Note 1: I tried the -w command line option and that did not seem to do anything. Either way the command returns immediately. I think that the -w is not useful with -z.

Note 2: to help debug, try with the -v command line option.

Note 3: nc -z ... actually creates a socket() and then attempts to bind() it and connect(). If that works, it deems the port open.

Improve this answer
2
  • 4
    -w is very useful if the port is not open and packages are dropped, otherwise nc will wait forever. Commented Jul 15, 2020 at 20:02
  • For me -w5 works perfectly, like stated in this anwser Commented Sep 30 at 6:06
11

If you are connected to the system and can run a command as root then you can check the output of iptables

iptables -L -vn

this will list the firewall rules and which ports are open target ACCEPT and any explicitly closed ports target REJECT.

Improve this answer
1
  • 1
    And if you have firewalld, it's simpler firewall-cmd --query-port=port/protocol, e.g. firewall-cmd --query-port=80/tcp. Commented Jul 20, 2018 at 16:00
7

lsof -i :ssh will list all processes with the ssh port open, both listening and active connections.

Improve this answer
2
  • Prefix sudo if it doesn't return any output. Commented Jun 13, 2017 at 23:08
  • 1
    @ElijahLynn Actually sudo is required for any connections opened by other users (and likely LISTEN ports which are opened by services such as ssh or http). Commented Mar 7, 2020 at 17:53
2

Check Internally

netstat -tulpen | grep $PORT lsof -i:$PORT

Check Externally

You can use

nc -z $IP $PORT

You can use Telnet

telnet $IP $PORT

You can use this online tool (I like this one)

https://www.yougetsignal.com/tools/open-ports/

And port scanner like Nmap CLI tool

Improve this answer
2

If there are no utilities available, for example, in a Docker container:

(echo >/dev/tcp/127.0.0.1/80) &>/dev/null && echo "open" || echo "closed"
Improve this answer
1
  • 1
    Great suggesion! mvp! Commented Jun 13 at 16:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.