How to Locate Open Ports in Linux

In plain English, this simply means that a port is an endpoint through which data flows back and forth between two computers over a network. A computer has 65535 ports available to share information. These port numbers are based on a 16-bit number, which is where we derive the total number of available ports (0 to 65535).

These port numbers are assigned to specific services by IANA, which is responsible for maintaining the official port number designations. They designate port numbers based on three ranges:

• System (or well known) Ports (0-1023)
• User Ports (1024-49151)
• Dynamic and Private Ports (49152-65535)

As we can see, many of these ports are easily recognizable once the service is associated with the port number.

• Port 20: FTP
• Port 21: FTP

• Port 22: SSH
• Port 23: Telnet
• Port 25: SMTP
• Port 26: Common Alternate SMTP port
• Port 37: cPanel's time servers (tcp out)
• Port 53: DNS/Named
• Port 80: HTTP
• Port 110: POP3
• Port 123: NTP
• Port 143: IMAP
• Port 443: HTTPS (SSL)
• Port 465: SMTPs (Secure SMTP)
• Port 993: IMAPs (Secure IMAP)
• Port 995: POP3s (Secure POP3)
• Port 1167: Guardian (buagent)
• Port 1433: Microsoft SQL Server
• Port 2073: cPanel Razor
• Port 2077: cPanel WebDAV
• Port 2078: cPanel WebDAV Secure port
• Port 2079: cPanel CalDAV and CardDAV
• Port 2080: cPanel CalDAV and CardDAV Secure port
• Port 2082: cPanel non-secure port
• Port 2083: cPanel secure port
• Port 2086: WHM non-secure port
• Port 2087: WHM secure port
• Port 2089: cp license
• Port 2095: cPanel webmail non-secure port
• Port 2096: cPanel webmail secure port
• Port 2443: Nodeworx/SiteWorx
• Port 3306: MySQL
• Port 3389: Remote Desktop Protocol (rdp)
• Port 4643: Virtuozzo Control Panel
• Port 6660-6669: IRC
• Port 8000: SHOUTcast
• Port 8080: Tomcat
• Port 8306: Plesk MySQL
• Port 8443: Plesk
• Port 49152:65534: Standard Passive FTP ports

The next step in the connection chain is the protocol used to connect to a service. A computer’s IP address is stored in a DNS record by an ISP (Internet Service Provider), contributing to the transfer of information.

When a computer requests to connect to another computer (or server), it uses the IP address listed in the DNS records to locate the other computer on the network. The service associated with the relevant port then uses one of these connection protocols to transmit the relevant information back to the requester. The open ports on the server listen for the unique communication requests on specific ports. The unique ports are associated with various software or services noted above.

For instance, when you open a browser and type in https://alscotoday.com, the https request is routed through an ISP or other internet provider, which then does a DNS lookup for that domain. Once the location of the IP is found, your https request is then routed to a server owned by Liquid Web. When the request hits the server, the service that is listening on port 443, in this case, Port 443 HTTPS (SSL), recognizes the request for a secure connection to the server and returns the webpage stored on the server securely.

Another example would be if you attempt to connect to an FTP server here at Liquid Web. The software (FileZilla for example) reaches out to the server’s IP address on port 21, the port the FTP service listens on. The request arrives, and if the port is open, the connection is allowed through the firewall. The FTP server then responds to the connection request, and if the user authentication is successful, your computer is now connected to the server via FTP.  

After this, the firewall comes into play. The firewall monitors the traffic coming into and out of the server. The information stored in the firewall rules either allows or denies access based on the incoming TCP/UDP info and recognizes if the port is open or closed. Using the above FTP request as an example, if a firewall rule is set up to allow traffic to pass over port 21, the FTP request is forwarded to the FTP server where the connection is allowed. If port 21 is closed or blocked by a firewall rule, the request is denied and the connection will fail. 

Finally, if the request is allowed through the firewall, the service that listens to the specifically designated port receives the request and responds in kind. Granted, this is an oversimplification of the chain of events, but it demonstrates the overall process of how a request is related to a unique port. An IP address may have multiple services listening on any one of the ports listed above. When we connect to a server, we are connecting to an IP address and a port.

In Linux, there are multiple ways to see if the service is listening. Typically, we can use the software installed on the server to see if a port is open.

Note:

The use of the watch command is also advised when searching for this type of information. When used in conjunction with watch, these commands show live data being returned every two seconds by default, however, this command can be modified to use a specific timeframe.

Nmap (Network Mapper) is an open-source network scanner used to discover services and hosts on a network. It sends packets of information to devices attached to the network and analyzes the responses. Nmap has many features for probing networks, including host discovery, service detection, and OS sensing. To install Nmap, we use the following commands.

To discover open ports, we can run one of these commands.

Another nmap command to use is as follows.

lsof is a linux command meaning list open files and is used in many Unix-like systems to report a list of all open files and the processes that opened them. If lsof is not installed, we use the following commands to install it.

To check open ports, use this command.

We can also use lsof as part of a larger, more complex command to sort and filter information returned from the command line. This command lists the total number of TCP/UDP connections.

Using this command, we can see all IPv4 ports using TCP connections.

Or this command, which lists the process tied to an open port.