$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Check Whether Databases Listen Publicly

You need to know whether PostgreSQL or MySQL is exposed beyond localhost.

Command

ss -ltnp | awk '$4 ~ /:(5432|3306)$/ {print}'

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat localhost binding as complete security; credentials, firewall rules, and tunnels still matter.

Expected output

Listening socket rows for ports 5432 and 3306, including bind addresses.

System impact

Read-only. Nothing changes. ss and awk print matching listening sockets.

Recovery / rollback: no state is changed.

When to use it

Use during hardening, breach triage, VPS audits, and deploy reviews.

When not to use it

Do not treat localhost binding as complete security; credentials, firewall rules, and tunnels still matter.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ ss -ltnp

State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      128    localhost:5432      0.0.0.0:* users:(("postgres",pid=421,fd=5))
LISTEN 0      151    0.0.0.0:3306       0.0.0.0:* users:(("mysqld",pid=733,fd=22))
LISTEN 0      128    0.0.0.0:22         0.0.0.0:* users:(("sshd",pid=71,fd=3))

$ ss -ltnp | awk '$4 ~ /:(5432|3306)$/ {print}'

LISTEN 0      128    localhost:5432      0.0.0.0:* users:(("postgres",pid=421,fd=5))
LISTEN 0      151    0.0.0.0:3306       0.0.0.0:* users:(("mysqld",pid=733,fd=22))

$ ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):(5432|3306)$/ {print}'

LISTEN 0      151    0.0.0.0:3306       0.0.0.0:* users:(("mysqld",pid=733,fd=22))
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. ss -ltnp
  2. ss -ltnp | awk '$4 ~ /:(5432|3306)$/ {print}'
  3. ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):(5432|3306)$/ {print}'

next steps

Related commands

Cybersecurity Triage Read-only

Check Whether SSH Is Publicly Bound

SSH can be locked down by source and still bind publicly.

ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'
Cybersecurity Triage Read-only

Show Local-Only Database Listeners

The database was listening, but only on localhost.

ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'
Cybersecurity Triage State change

Find Allowed Ports with No Listener

An open firewall rule can outlive the service it was created for.

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage State change

Find Public Listeners Not Allowed by UFW

The process was public, but the firewall did not mention it.

comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Show Publicly Bound Listeners

Localhost services are different from public listeners.

ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.