$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find Listening Ports with ss

You need to list local TCP services that are accepting connections.

Command

ss -ltnp

What changed

Nothing changes. The command displays listening TCP sockets.

Danger

safe

When to use it

Use when a service should be reachable, or when you need to audit listening ports.

When not to use it

Do not assume a listening socket is externally reachable; firewall and bind address still matter.

Undo or recovery

No undo needed because this command is read-only.

Expected output

A table of listening TCP sockets with local addresses, ports, and associated processes when available.

demo script

Disposable terminal steps

  1. ss -ltnp
  2. ss -tan state established
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ ss -ltnp
State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      511    0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      128    127.0.0.1:5432     0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      64     0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
::exit-code::0
$ ss -tan state established
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0      0      10.0.0.5:443     198.51.100.20:51422
ESTAB 0      0      10.0.0.5:5432    10.0.0.8:41430
::exit-code::0

YouTube Short

What is actually listening?

ss shows local listening sockets, bind addresses, ports, and processes before you chase firewall rules.

LinkedIn hook

Before blaming the firewall, check whether anything is actually listening.

Question: When a service is unreachable, do you check bind address before firewall rules?

experiments

A/B tests to run

Metric: comment_rate

A: Before blaming firewall.

B: Check bind address first.