Secure Remote Access is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Secure Remote Access

ss vs lsof vs nmap for Linux Port Checks

ss, lsof, and nmap all help with Linux port checks, but they answer different questions. ss shows local socket state, lsof connects sockets to processes and files, and nmap checks what appears reachable from another network point.

A good exposure review uses all three perspectives: what is listening, which process owns it, and what an outside scan can reach.

The short comparison

Pick the tool based on the question you are asking. Do not expect one command to tell you the whole exposure story.

Tool Best question Perspective
ss What sockets are listening on this Linux host? Local kernel socket table
lsof Which process owns this open socket or file? Local process/file view
nmap What ports appear open from here? Outside-in network scan

Nmap’s own reference describes it as a network exploration and security auditing tool that reports port states such as open, filtered, closed, and unfiltered. That outside-in perspective is different from asking the local host what it is listening on.

When should you use ss?

Use ss first when you are logged into the Linux server and want to know what is listening locally. It is the modern socket-inspection tool most admins reach for before asking whether something should be public.

ss is especially useful for:

If you need a practical walkthrough, use the existing guide to check listening ports on Linux with ss and lsof and the ss port-audit tool note.

When should you use lsof?

Use lsof when the port is interesting and you need to know which process owns it. The name means “list open files,” and on Unix-like systems sockets are part of the same operational world of open file descriptors.

lsof is useful for:

The common workflow is: use ss to notice the listener, then lsof or service manager tools to understand the owner.

When should you use nmap?

Use nmap when you want an outside-in view from another machine or network location. A local server may show a process listening, but firewall rules, NAT, cloud security groups, routing, and bind addresses decide what another host can actually reach.

Nmap is useful for:

Only scan systems you own or have permission to test. For a permission-safe workflow, use the existing Nmap for your own server exposure check page.

Why results can differ

Different results are normal because the tools look from different places. A service can listen locally while being blocked externally, or appear open externally through a proxy even though the backend service is bound to localhost.

Examples:

Situation ss sees nmap sees
App bound to 127.0.0.1 Local listener Closed or filtered from outside
App bound to 0.0.0.0 but firewall blocks Local listener Filtered or closed
Reverse proxy public, backend private Backend local listener plus proxy listener Public proxy port only
Cloud firewall allows port Local listener Open from permitted sources
Docker publishes a port Host-level listener/NAT behavior may appear Open depending on bind and firewall path

This is why exposure checks should include both host inspection and network testing.

A practical order for a small VPS audit

Start local, then confirm externally. That gives you fewer mysteries.

  1. List local listeners with ss.
  2. Identify suspicious owners with lsof or systemd.
  3. Compare listeners against your service inventory.
  4. Check firewall and cloud security-group intent.
  5. Run nmap from a permitted outside host.
  6. Fix anything that should not be reachable.
  7. Record the expected public ports.

For most small servers, the expected public list should be short: usually HTTPS, maybe HTTP for redirect, and rarely public SSH if you have not moved to a private access pattern yet.

Common mistakes

Trusting local checks as proof of public exposure

A local listener is not automatically public. Bind address, firewall, NAT, and cloud rules matter.

Trusting outside scans without checking process ownership

An open port tells you something is reachable. It does not always tell you which local process or container owns it.

Scanning networks you do not control

Keep scans to systems you own or have explicit permission to test.

Forgetting Docker and reverse proxies

Containers and proxies can make exposure less obvious. Always connect the port to the deployment path.

FAQ

Is ss better than netstat?

For modern Linux administration, ss is generally the better default because it is current and reads socket information efficiently. Many older tutorials still show netstat.

Can nmap prove a port is safe?

No. Nmap can show what appears reachable from the scan location. It does not prove the service is secure.

Which tool should I use first?

Use ss first on the server, then lsof for ownership, then nmap from another machine to confirm outside reachability.

Sources