$ Linux One Liners
Back to lessons

Cybersecurity Triage

Show Publicly Bound Listeners

You need to filter listening sockets down to services bound on all interfaces or IPv6 wildcard addresses.

Command

ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'

What changed

Nothing changes. awk filters socket output by bind address.

Danger

safe

When to use it

Use when you need a quick public-exposure worklist before comparing against firewall policy.

When not to use it

Do not ignore IPv6, container ports, or cloud firewalls on real hosts; this is the host-level socket view.

Undo or recovery

No undo needed because this command is read-only.

Expected output

The ss header plus listeners bound to public wildcard addresses.

demo script

Disposable terminal steps

  1. ss -ltnp
  2. ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ ss -ltnp
State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      511          0.0.0.0:443       0.0.0.0:*     users:(("nginx",pid=1907,fd=7))
LISTEN 0      128        127.0.0.1:5432      0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      128        127.0.0.1:6379      0.0.0.0:*     users:(("redis-server",pid=2112,fd=6))
LISTEN 0      64           0.0.0.0:9000      0.0.0.0:*     users:(("node",pid=2219,fd=18))
::exit-code::0
$ ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'
State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      511          0.0.0.0:443       0.0.0.0:*     users:(("nginx",pid=1907,fd=7))
LISTEN 0      64           0.0.0.0:9000      0.0.0.0:*     users:(("node",pid=2219,fd=18))
::exit-code::0

YouTube Short

Filter public listeners.

A localhost database is not the same as a public service. Filter sockets by bind address first.

LinkedIn hook

Localhost services are different from public listeners.

Question: Do you separate localhost listeners from public bind addresses during exposure checks?

experiments

A/B tests to run

Metric: save_rate

A: Public listeners only.

B: Filter by bind address.