$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

List Listening TCP Sockets

You need to see which TCP sockets are listening and which process owns each one.

Command

ss -ltnp

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat a listener as internet reachable without checking bind address and firewall policy together.

Expected output

Listening TCP sockets with local address, port, peer wildcard, and process info.

System impact

Read-only. Nothing changes. ss prints listening TCP sockets and process names where available.

Recovery / rollback: no state is changed.

When to use it

Use before changing firewall rules, debugging exposure, or confirming a service actually bound a port.

When not to use it

Do not treat a listener as internet reachable without checking bind address and firewall policy together.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ ss -ltnp

State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      511          0.0.0.0:443       0.0.0.0:*     users:(("nginx",pid=1907,fd=7))
LISTEN 0      128        localhost:5432      0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      128        localhost:6379      0.0.0.0:*     users:(("redis-server",pid=2112,fd=6))
LISTEN 0      64           0.0.0.0:9000      0.0.0.0:*     users:(("node",pid=2219,fd=18))

$ ss -ltnp | awk '/LISTEN/ {print $4, $7}'

0.0.0.0:22 
0.0.0.0:80 
0.0.0.0:443 
localhost:5432 
localhost:6379 
0.0.0.0:9000
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. ss -ltnp
  2. ss -ltnp | awk '/LISTEN/ {print $4, $7}'

next steps

Related commands

Cybersecurity Triage State change

Find Public Listeners Not Allowed by UFW

The process was public, but the firewall did not mention it.

comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Find Listening Ports with ss

Before blaming the firewall, check whether anything is actually listening.

ss -ltnp
Cybersecurity Triage State change

Find Allowed Ports with No Listener

An open firewall rule can outlive the service it was created for.

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Check Whether SSH Is Publicly Bound

SSH can be locked down by source and still bind publicly.

ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.