Guide to DevSecOps

Appearance

Linux Server Port and Process Monitoring Guide

This guide demonstrates how to identify open ports, the processes using them, which users own these processes, and how they were invoked on a Linux server.

Checking Open Ports

Using ss (Socket Statistics)

The modern replacement for netstat:

bash
# Show all listening TCP ports with process information
ss -tulpn

# Example output:
# Netid  State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   Process
# tcp    LISTEN   0        128        0.0.0.0:22             0.0.0.0:*           users:(("sshd",pid=1234,fd=3))
# tcp    LISTEN   0        511        0.0.0.0:80             0.0.0.0:*           users:(("nginx",pid=2345,fd=6))

Using netstat

Traditional but still useful:

bash
# Show all listening ports with numeric addresses and process info
netstat -tulpn

# Show established connections too
netstat -tulpna

Using lsof (List Open Files)

bash
# Show all network connections
sudo lsof -i

# Show processes listening on a specific port
sudo lsof -i :80

Mapping Ports to Processes

Find Process Details for a Specific Port

bash
# Find what's using port 80
sudo ss -lptn 'sport = :80'
sudo lsof -i:80

# SAMPLE
sudo lsof -i -P -n | grep LISTEN

Identifying Process Owners and Command Lines

Using ps Command

bash
# Once you have the PID from previous commands
ps -f -p <PID>

# For more detailed output
ps -elf | grep <PID>

# Full command line with environment
ps eww -p <PID>

# SAMPLE
ps -p 720 -o pid,user,command


# check current working directory of a process
sudo lsof -p <PID> | grep cwd

Using /proc Filesystem

bash
# View the command used to start the process
cat /proc/<PID>/cmdline | tr '\0' ' '; echo

# Check process owner
ls -l /proc/<PID> | grep owner

Determining How Processes Were Started

Check Systemd Services

bash
# If it's a service, you can check its status
sudo systemctl status <service-name>

# List all running services
systemctl list-units --type=service --state=running

Check Process Parents

bash
# Show process tree
pstree -p <PID>

# Alternative using ps
ps -elf | grep <PPID>

Checking User Sessions and Activities

bash
# Who is logged in
who

# Who is logged in and what they're doing
w

# Last login information
last

Comprehensive System Overview

bash
# For a comprehensive overview combining ports, processes and users
sudo netstat -tulpn | grep LISTEN | awk '{print $4,$7}' | sort

Practical Examples

Example 1: Identifying a Web Server Process

bash
# Find what's using port 80
sudo ss -lptn 'sport = :80'
# Get details about the process
ps -f -p <PID>
# Check how it was started
sudo systemctl status nginx

Example 2: Investigating Unknown Ports

bash
# Discover all listening ports
sudo ss -tulpn
# For any suspicious port (e.g., 31337)
sudo lsof -i:31337
# Check process details
ps -ef | grep <PID>
# Check when the binary was last modified
ls -la /path/to/suspicious/binary
# Check where connections are going
sudo ss -tapn | grep <PID>

Remember to run these commands with appropriate permissions. Most network-related commands require sudo privileges to see all the information.