ss, lsof, and nmap all help with Linux port checks, but they answer different questions. ss shows local socket state, lsof connects sockets to processes and files, and nmap checks what appears reachable from another network point.
A good exposure review uses all three perspectives: what is listening, which process owns it, and what an outside scan can reach.
The short comparison
Pick the tool based on the question you are asking. Do not expect one command to tell you the whole exposure story.
| Tool | Best question | Perspective |
|---|---|---|
ss |
What sockets are listening on this Linux host? | Local kernel socket table |
lsof |
Which process owns this open socket or file? | Local process/file view |
nmap |
What ports appear open from here? | Outside-in network scan |
Nmap’s own reference describes it as a network exploration and security auditing tool that reports port states such as open, filtered, closed, and unfiltered. That outside-in perspective is different from asking the local host what it is listening on.
When should you use ss?
Use ss first when you are logged into the Linux server and want to know what is listening locally. It is the modern socket-inspection tool most admins reach for before asking whether something should be public.
ss is especially useful for:
- finding listening TCP or UDP sockets;
- checking whether a service binds to
127.0.0.1, a private address, or all interfaces; - verifying that a port changed after a service restart;
- supporting a quick local exposure inventory.
If you need a practical walkthrough, use the existing guide to check listening ports on Linux with ss and lsof and the ss port-audit tool note.
When should you use lsof?
Use lsof when the port is interesting and you need to know which process owns it. The name means “list open files,” and on Unix-like systems sockets are part of the same operational world of open file descriptors.
lsof is useful for:
- mapping a listening port to a PID;
- spotting unexpected processes;
- confirming which user owns the process;
- investigating old services after migrations;
- checking files and sockets during incident review.
The common workflow is: use ss to notice the listener, then lsof or service manager tools to understand the owner.
When should you use nmap?
Use nmap when you want an outside-in view from another machine or network location. A local server may show a process listening, but firewall rules, NAT, cloud security groups, routing, and bind addresses decide what another host can actually reach.
Nmap is useful for:
- scanning your own VPS from another network;
- confirming whether a firewall blocks a port;
- checking public exposure after a deployment;
- validating that a supposedly private service is not reachable externally;
- documenting an exposure baseline.
Only scan systems you own or have permission to test. For a permission-safe workflow, use the existing Nmap for your own server exposure check page.
Why results can differ
Different results are normal because the tools look from different places. A service can listen locally while being blocked externally, or appear open externally through a proxy even though the backend service is bound to localhost.
Examples:
| Situation | ss sees |
nmap sees |
|---|---|---|
App bound to 127.0.0.1 |
Local listener | Closed or filtered from outside |
App bound to 0.0.0.0 but firewall blocks |
Local listener | Filtered or closed |
| Reverse proxy public, backend private | Backend local listener plus proxy listener | Public proxy port only |
| Cloud firewall allows port | Local listener | Open from permitted sources |
| Docker publishes a port | Host-level listener/NAT behavior may appear | Open depending on bind and firewall path |
This is why exposure checks should include both host inspection and network testing.
A practical order for a small VPS audit
Start local, then confirm externally. That gives you fewer mysteries.
- List local listeners with
ss. - Identify suspicious owners with
lsofor systemd. - Compare listeners against your service inventory.
- Check firewall and cloud security-group intent.
- Run
nmapfrom a permitted outside host. - Fix anything that should not be reachable.
- Record the expected public ports.
For most small servers, the expected public list should be short: usually HTTPS, maybe HTTP for redirect, and rarely public SSH if you have not moved to a private access pattern yet.
Common mistakes
Trusting local checks as proof of public exposure
A local listener is not automatically public. Bind address, firewall, NAT, and cloud rules matter.
Trusting outside scans without checking process ownership
An open port tells you something is reachable. It does not always tell you which local process or container owns it.
Scanning networks you do not control
Keep scans to systems you own or have explicit permission to test.
Forgetting Docker and reverse proxies
Containers and proxies can make exposure less obvious. Always connect the port to the deployment path.
FAQ
Is ss better than netstat?
For modern Linux administration, ss is generally the better default because it is current and reads socket information efficiently. Many older tutorials still show netstat.
Can nmap prove a port is safe?
No. Nmap can show what appears reachable from the scan location. It does not prove the service is secure.
Which tool should I use first?
Use ss first on the server, then lsof for ownership, then nmap from another machine to confirm outside reachability.
Sources
- Nmap Reference Guide
- Linux manual pages for socket and process inspection tools
- Existing TheLinuxForum
ss,lsof, and Nmap exposure-check guides