$ Linux One Liners
Back to lessons

Cybersecurity Triage

Check Whether SSH Is Publicly Bound

You need to see whether SSH is listening on a non-localhost address.

Command

ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'

What changed

Nothing changes. awk filters socket output for non-local SSH bind addresses.

Danger

safe

When to use it

Use during SSH hardening checks or before deciding whether firewall source restrictions are enough.

When not to use it

Do not treat bind address alone as access policy; compare it with firewall sources and cloud security groups.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Any SSH listener on port 22 that is not bound only to localhost.

demo script

Disposable terminal steps

  1. ss -ltnp | grep ':22'
  2. ufw status numbered | grep '22/tcp'
  3. ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ ss -ltnp | grep ':22'
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
::exit-code::0
$ ufw status numbered | grep '22/tcp'
[ 1] 22/tcp                     ALLOW IN    203.0.113.0/24
::exit-code::0
$ ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*     users:(("sshd",pid=801,fd=3))
::exit-code::0

YouTube Short

Is SSH publicly bound?

Check whether SSH binds to a public address, then compare that with the firewall source rule.

LinkedIn hook

SSH can be locked down by source and still bind publicly.

Question: Do you check SSH bind address separately from firewall allow sources?

experiments

A/B tests to run

Metric: watch_time

A: SSH binds publicly.

B: Check SSH exposure precisely.