It is a common thing for me as a Linux and FreeBSD sysadmin to know what process assignes to which port number? I'm sure many novice system administrators will end up sooner or later with same question. Knowing what kind of processes has listening to TCP and UDP protocol / ports is a must to have a proper configured Linux / BSD system. In Linux there are two commands ( lsof and fuser) with which you can get various extra PID information on running processes (i.e. get information which cannot otherwise be obtained via the usual ps and netstat To use them on most Linux distributions, you will have to have them installed.
1. Install fuser / lsof on Linux / BSD
a) On RPM based Linux distros – Fedora, CentOS, RHEL, SuSE /sbin/fuser is usually part of base install psmisc rpm package, however /usr/sbin/lsof is not among standard installed rpms, so you have to manually install via yum:
[root@centos ~]# yum install -y lsof
….
b) On Deb based Linuxes (Debian, Ubuntu, Mint, ArchLinux etc.). both lsof and fuser has to be installed via a separate packages non-part of Debian base install packs.
server:~# apt-get --yes install lsof fuser
....
On Debian full path location of both is in /bin/fuser and /usr/bin/lsof.
Two tools are precious swiss army knife outfit to use, whether you doubt someone cracked into a server or in doubt you might have "hidden" cracker processes on server.
c) Install fuser on Free/Net/Open/ BSD
bsd# cd /usr/ports/sysutils/fuser
bsd# make install clean
....
bsd# cd /usr/ports/sysutils/lsof
bsd# make install clean
....
2. Using fuser and lsof to look up process PIDs assigned to port numbers
lsof name is derived from List Open Files, as we know in UNIX, GNU / Linux, *BSD everything on the system is a file, thus to get all kind of information concerning all active files (i.e. ports, PIDs, procotols and process names;
server:~# lsof +M -i4 | less
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
portmap 1317 daemon 4u IPv4 3930 0t0 UDP *:sunrpc[portmapper]
portmap 1317 daemon 5u IPv4 3939 0t0 TCP *:sunrpc[portmapper] (LISTEN)
rpc.statd 1329 statd 4u IPv4 3974 0t0 UDP *:657
rpc.statd 1329 statd 6u IPv4 3983 0t0 UDP *:28530[status]
rpc.statd 1329 statd 7u IPv4 3986 0t0 TCP *:58515[status] (LISTEN)
apache2 1625 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 1625 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
sshd 1918 root 3u IPv4 4945 0t0 TCP *:ssh (LISTEN)
miniserv. 2155 root 5u IPv4 5299 0t0 TCP *:20000 (LISTEN)
miniserv. 2155 root 6u IPv4 5300 0t0 UDP *:20000
miniserv. 2161 root 6u IPv4 5367 0t0 TCP *:webmin (LISTEN)
miniserv. 2161 root 7u IPv4 5368 0t0 UDP *:10000
ntpd 2172 ntp 16u IPv4 5395 0t0 UDP *:ntp
ntpd 2172 ntp 18u IPv4 5402 0t0 UDP localhost:ntp
ntpd 2172 ntp 19u IPv4 5403 0t0 UDP iqtest.soccerfame.com:ntp
ntpd 2172 ntp 20u IPv4 16028 0t0 UDP secure.broomlake.com:ntp
apache2 4505 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 4505 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 4539 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 4539 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 4780 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 4780 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 4900 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 4900 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 4907 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 4907 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 4915 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 4915 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5067 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5067 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5133 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5133 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5134 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5134 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5148 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5148 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5152 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5152 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5259 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5259 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5265 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5265 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5266 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5266 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5346 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5346 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5356 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5356 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5467 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5467 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5523 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5523 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5568 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5568 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5715 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5715 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5716 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5716 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5758 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5758 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 5789 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 5789 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 6106 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 6106 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 16608 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 16608 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 16904 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 16904 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 17124 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 17124 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 17280 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 17280 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 20855 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 20855 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 20920 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 20920 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 21023 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 21023 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 22182 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 22182 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23307 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23307 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23366 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23366 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23408 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23408 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23419 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23419 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23428 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23428 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23452 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23452 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23561 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23561 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23579 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23579 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 23851 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 23851 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 24103 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 24103 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 24659 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 24659 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
sshd 25073 root 3u IPv4 29855891 0t0 TCP iqtest.soccerfame.com:ssh->www.pc-freak.net:50176 (ESTABLISHED)
sshd 25084 hipo 3u IPv4 29855891 0t0 TCP iqtest.soccerfame.com:ssh->www.pc-freak.net:50176 (ESTABLISHED)
apache2 25089 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 25089 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 26737 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 26737 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 27243 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 27243 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 27282 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 27282 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 27633 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 27633 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 28205 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 28205 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 29244 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 29244 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 29372 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 29372 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 29411 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 29411 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 29462 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 29462 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 29548 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 29548 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 30161 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 30161 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 31876 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 31876 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 31958 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 31958 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32052 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32052 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32061 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32061 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32143 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32143 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32149 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32149 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32440 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32440 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32635 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32635 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 32790 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 32790 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 40211 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 40211 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 40309 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 40309 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 40432 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 40432 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 40476 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 40476 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46319 root 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46319 root 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46438 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46438 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46439 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46439 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46440 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46440 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46441 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46441 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46442 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46442 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46443 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46443 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46509 root 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46509 root 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46510 root 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46510 root 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 46515 root 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 46515 root 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 51287 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 51287 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 51485 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 51485 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 51804 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 51804 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
named 54418 bind 20u IPv4 31298857 0t0 TCP localhost:domain (LISTEN)
named 54418 bind 21u IPv4 31298859 0t0 TCP iqtest.soccerfame.com:domain (LISTEN)
named 54418 bind 22u IPv4 31298861 0t0 TCP secure.broomlake.com:domain (LISTEN)
named 54418 bind 23u IPv4 31298865 0t0 TCP localhost:953 (LISTEN)
named 54418 bind 512u IPv4 31298856 0t0 UDP localhost:domain
named 54418 bind 513u IPv4 31298858 0t0 UDP iqtest.soccerfame.com:domain
named 54418 bind 514u IPv4 31298860 0t0 UDP secure.broomlake.com:domain
named 54418 bind 515u IPv4 31298864 0t0 UDP *:domain
proftpd 62010 proftpd 1u IPv4 31306260 0t0 TCP *:ftp (LISTEN)
mysqld 62420 mysql 11u IPv4 31306903 0t0 TCP *:mysql (LISTEN)
apache2 62582 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 62582 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 62845 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 62845 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
apache2 64748 www-data 3u IPv4 5456 0t0 TCP *:www (LISTEN)
apache2 64748 www-data 4u IPv4 5458 0t0 TCP *:https (LISTEN)
Above lsof command lists all active listening processes port number on UDP and TCP/IP 4 proto with the assigned process PID number (in second column). This is very useful if you find out to have listening service on port number and you cannot figure out what process name exactly is listening.
A classic example, where this is very helpful is if you have a listening process on SMTP port 25 and you cannot identify what kind of mail server is taking up the port? This has happened me many times on Debian Linux based hosts, which by default had priorly installed sendmail and I later removed sendmail to install Postfix or Exim SMTP.
To find out what is assigning port 25, you had to grep the protocol name from all binded host processes, like so:
server:~# lsof +M -i4 | grep -i smtp
exim4 17550 root 3u IPv4 31577966 0t0 TCP localhost:smtp (LISTEN)
Whether you want to get information on Process ID, binding other random port lets say port 10000, following same logic you can grep it:
server:~# lsof +M -i4 |grep -i 10000
miniserv. 2161 root 7u IPv4 5368 0t0 UDP *:10000
To get rid of a process for which you're unsure what kind of (/etc/init.d/service-name) init script is starting it, you can then use kill cmd to stop it;
server:~# kill -9 2161
Second approach to find out what kind of process is listening on a random port or socket, lets say port num 58515 is by using fuser.
server:~# netstat -ltn4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:58515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 77.92.85.71:53 0.0.0.0:* LISTEN
tcp 0 0 109.123.106.44:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
Below netstat cmmand, lists all active listening processes on respective IP address and port for protocol TCPIP v.4.
Hence on to get more information on what process is listening on port 58515?
server:~# fuser -v 58515/tcp
USER PID ACCESS COMMAND
58515/tcp: statd 1329 F…. rpc.statd
Once you know what is listening, whether you want to kill it this is also possible directly through fuser;
server:~# fuser -vk 58515/tcp
As a close-up, I will say fuser and lsof are two must have software tools on any productive server. It is among the critical applications admin has to install during initial server set-up. fuser and lsof helps me often in my sysadmin work, it was more than once I've used them to identify script-kiddies exploit scanners running as a standard process names, as well secretly listening on weird port number cracker back-doors.
Hopefully this little article, helps someone learn something new. Plenty is written and will be written and if one takes the time to research he can learn much, much more. I'm sure my tiny article is nothing new under the sun for old-school admins, I still hope it will be of use to novice. I'm looking forward to hear if I'm missing some neat use or some interesting case, when lsof or fuser "saved your ass" 🙂