Cybersecurity Triage
Show Local-Only Database Listeners
You need to confirm common database ports are bound only to 127.0.0.1.
Command
ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'What changed
Nothing changes. awk filters socket output for local-only database listener ports.
Danger
safe
When to use it
Use during database exposure checks before changing bind addresses, firewalls, or application connection strings.
When not to use it
Do not assume every database uses only these ports; adapt the pattern for your stack.
Undo or recovery
No undo needed because this command is read-only.
Expected output
Localhost-bound listeners on common database ports such as 5432 or 6379.
demo script
Disposable terminal steps
ss -ltnpss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'
simulated output
What it looks like
::fixture-ready::
$ ss -ltnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=801,fd=3))
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1907,fd=6))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1907,fd=7))
LISTEN 0 128 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=2011,fd=7))
LISTEN 0 128 127.0.0.1:6379 0.0.0.0:* users:(("redis-server",pid=2112,fd=6))
LISTEN 0 64 0.0.0.0:9000 0.0.0.0:* users:(("node",pid=2219,fd=18))
::exit-code::0
$ ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'
LISTEN 0 128 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=2011,fd=7))
LISTEN 0 128 127.0.0.1:6379 0.0.0.0:* users:(("redis-server",pid=2112,fd=6))
::exit-code::0
YouTube Short
Confirm local-only databases.
A database can listen safely when it is bound to localhost. Filter common database ports by local bind address.
LinkedIn hook
The database was listening, but only on localhost.
Question: Do you verify database bind addresses before touching firewall rules?
experiments
A/B tests to run
Metric: save_rate
A: Database is local-only.
B: Check DB bind address first.