Cybersecurity Triage
List Listening TCP Sockets
You need to see which TCP sockets are listening and which process owns each one.
Command
ss -ltnpWhat changed
Nothing changes. ss prints listening TCP sockets and process names where available.
Danger
safe
When to use it
Use before changing firewall rules, debugging exposure, or confirming a service actually bound a port.
When not to use it
Do not treat a listener as internet reachable without checking bind address and firewall policy together.
Undo or recovery
No undo needed because this command is read-only.
Expected output
Listening TCP sockets with local address, port, peer wildcard, and process info.
demo script
Disposable terminal steps
ss -ltnpss -ltnp | awk '/LISTEN/ {print $4, $7}'
simulated output
What it looks like
::fixture-ready::
$ ss -ltnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=801,fd=3))
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1907,fd=6))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1907,fd=7))
LISTEN 0 128 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=2011,fd=7))
LISTEN 0 128 127.0.0.1:6379 0.0.0.0:* users:(("redis-server",pid=2112,fd=6))
LISTEN 0 64 0.0.0.0:9000 0.0.0.0:* users:(("node",pid=2219,fd=18))
::exit-code::0
$ ss -ltnp | awk '/LISTEN/ {print $4, $7}'
0.0.0.0:22
0.0.0.0:80
0.0.0.0:443
127.0.0.1:5432
127.0.0.1:6379
0.0.0.0:9000
::exit-code::0
YouTube Short
List what is listening.
Before firewall changes, list listening sockets. Bind address and process name tell you what could be exposed.
LinkedIn hook
Firewall rules matter after you know what is listening.
Question: Do you list listening sockets before changing firewall rules?
experiments
A/B tests to run
Metric: completion_rate
A: What is listening?
B: Sockets before firewall edits.