$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Check Whether SSH Is Publicly Bound

You need to see whether SSH is listening on a non-localhost address.

Command

ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat bind address alone as access policy; compare it with firewall sources and cloud security groups.

Expected output

Any SSH listener on port 22 that is not bound only to localhost.

System impact

Read-only. Nothing changes. awk filters socket output for non-local SSH bind addresses.

Recovery / rollback: no state is changed.

When to use it

Use during SSH hardening checks or before deciding whether firewall source restrictions are enough.

When not to use it

Do not treat bind address alone as access policy; compare it with firewall sources and cloud security groups.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ ss -ltnp | grep ':22'

LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))

$ ufw status numbered | grep '22/tcp'

[ 1] 22/tcp                     ALLOW IN    203.0.113.0/24

$ ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'

LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. ss -ltnp | grep ':22'
  2. ufw status numbered | grep '22/tcp'
  3. ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'

next steps

Related commands

Cybersecurity Triage State change

Find Public Listeners Not Allowed by UFW

The process was public, but the firewall did not mention it.

comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Show Local-Only Database Listeners

The database was listening, but only on localhost.

ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'
Cybersecurity Triage State change

Find Allowed Ports with No Listener

An open firewall rule can outlive the service it was created for.

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Cybersecurity Triage Read-only

Show Publicly Bound Listeners

Localhost services are different from public listeners.

ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.