$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Show Local-Only Database Listeners

You need to confirm common database ports are bound only to 127.0.0.1.

Command

ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not assume every database uses only these ports; adapt the pattern for your stack.

Expected output

Localhost-bound listeners on common database ports such as 5432 or 6379.

System impact

Read-only. Nothing changes. awk filters socket output for local-only database listener ports.

Recovery / rollback: no state is changed.

When to use it

Use during database exposure checks before changing bind addresses, firewalls, or application connection strings.

When not to use it

Do not assume every database uses only these ports; adapt the pattern for your stack.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ ss -ltnp

State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      511          0.0.0.0:443       0.0.0.0:*     users:(("nginx",pid=1907,fd=7))
LISTEN 0      128        localhost:5432      0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      128        localhost:6379      0.0.0.0:*     users:(("redis-server",pid=2112,fd=6))
LISTEN 0      64           0.0.0.0:9000      0.0.0.0:*     users:(("node",pid=2219,fd=18))

$ ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'

LISTEN 0      128        localhost:5432      0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      128        localhost:6379      0.0.0.0:*     users:(("redis-server",pid=2112,fd=6))
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. ss -ltnp
  2. ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'

next steps

Related commands

Cybersecurity Triage State change

Find Public Listeners Not Allowed by UFW

The process was public, but the firewall did not mention it.

comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Check Whether SSH Is Publicly Bound

SSH can be locked down by source and still bind publicly.

ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'
Cybersecurity Triage State change

Find Allowed Ports with No Listener

An open firewall rule can outlive the service it was created for.

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Show Publicly Bound Listeners

Localhost services are different from public listeners.

ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.