$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find Allowed Ports with No Listener

You need to find UFW-allowed ports that do not currently have a listening TCP socket.

Command

comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)

What changed

Nothing changes. The shell compares allowed firewall ports with listening ports.

Danger

safe

When to use it

Use during firewall cleanup to find stale allow rules that no active service appears to need.

When not to use it

Do not remove rules automatically from this output; check UDP, scheduled services, maintenance windows, and external policy first.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Allowed port numbers that are absent from the current listening TCP socket list.

demo script

Disposable terminal steps

  1. ufw status numbered
  2. ss -ltnp
  3. comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    203.0.113.0/24
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 25/tcp                     ALLOW IN    Anywhere
[ 5] 5432/tcp                   DENY IN     Anywhere
::exit-code::0
$ ss -ltnp
State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*     users:(("nginx",pid=1907,fd=6))
LISTEN 0      511          0.0.0.0:443       0.0.0.0:*     users:(("nginx",pid=1907,fd=7))
LISTEN 0      128        127.0.0.1:5432      0.0.0.0:*     users:(("postgres",pid=2011,fd=7))
LISTEN 0      128        127.0.0.1:6379      0.0.0.0:*     users:(("redis-server",pid=2112,fd=6))
LISTEN 0      64           0.0.0.0:9000      0.0.0.0:*     users:(("node",pid=2219,fd=18))
::exit-code::0
$ comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
25
::exit-code::0

YouTube Short

Find stale allow rules.

Compare UFW allow rules with listening sockets. If a port is allowed but nothing listens, it may be stale exposure.

LinkedIn hook

An open firewall rule can outlive the service it was created for.

Question: Do you look for firewall allow rules that no current listener uses?

experiments

A/B tests to run

Metric: save_rate

A: Allowed but unused.

B: Find stale firewall rules.