Turkey (Türkçe)
Germany (German)
Worldwide (English)
One of the most important security and network traffic controls on a Linux server is identifying which ports are being listened to. Connections coming through unauthorized ports can create an open door for cyber attacks or unwanted services. In this article, we explain how the netstat -tuln command works and how to interpret it.
What Does the netstat -tuln Command Do?
netstat -tuln
This command lists all TCP and UDP ports that are in listening mode on the system.
Parameter Explanations:
-
-t→ Shows TCP connections. -
-u→ Shows UDP connections. -
-l→ Lists only "listening" connections. -
-n→ Directly shows IP and port information, does not perform DNS resolution (runs faster).
Sample Output:
Proto Recv-Q Send-Q Local Address Foreign Address State
TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
TCP 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
UDP 0 0 0.0.0.0:68 0.0.0.0:*
Line Meanings:
-
0.0.0.0:22→ Port 22 (SSH) is accessible from all IP addresses. -
127.0.0.1:3306→ MySQL service accessible only from localhost. -
UDPline → UDP port 68 (services like DHCP client).
Interpretation in Terms of Security
-
0.0.0.0address: Means access from all IP addresses. Should be limited with a firewall. -
127.0.0.1: Only accessible to localhost, does not accept external connections. -
Unnecessary open ports (e.g., 10000, 3306, 6379, etc.) can create security vulnerabilities.
Extra: Listing Only TCP or UDP Ports
Only TCP:
netstat -tnl
Only UDP:
netstat -unl
Alternative Commands (if netstat is not available)
-
ss -tuln→ A modern command that can be used instead of netstat. -
lsof -i -P -n | grep LISTEN→ You can see which service is using which port.
The netstat -tuln command is an effective way to quickly understand which ports of a Linux server are open to the outside world. To ensure your security, you should regularly check these ports, close unnecessary openings, and limit access with a firewall (e.g., UFW, firewalld, iptables).