2.2.9. Verifying Which Ports Are Listening

Unnecessary open ports should be avoided because it increases the attack surface of your system. If after the system has been in service you find unexpected open ports in listening state, that might be signs of intrusion and it should be investigated.
Issue the following command, as root, from the console to determine which ports are listening for connections from the network:
~]# netstat -tanp | grep LISTEN
tcp        0      0     *                   LISTEN      1193/rpc.statd      
tcp        0      0  *                   LISTEN      1241/dnsmasq        
tcp        0      0     *                   LISTEN      1783/cupsd          
tcp        0      0      *                   LISTEN      7696/sendmail       
tcp        0      0       *                   LISTEN      1167/rpcbind        
tcp        0      0   *                   LISTEN      1118/tcsd           
tcp        0      0 :::631                      :::*                        LISTEN      1/init              
tcp        0      0 :::35018                    :::*                        LISTEN      1193/rpc.statd      
tcp        0      0 :::111                      :::*                        LISTEN      1167/rpcbind
Review the output of the command with the services needed on the system, turn off what is not specifically required or authorized, repeat the check. Proceed then to make external checks using nmap from another system connected via the network to the first system. This can be used verify the rules in iptables. Make a scan for every IP address shown in the netstat output (except for localhost or ::1 range) from an external system. Use the -6 option for scanning an IPv6 address. See man nmap(1) for more information.
The following is an example of the command to be issued from the console of another system to determine which ports are listening for TCP connections from the network:
~]# nmap -sT -O
See the netstat(8), nmap(1), and services(5) manual pages for more information.