Open your terminal right now.
Type this:
sudo netstat -tulpn
Every line = an open port on your server.
A door that anyone on the internet can knock on.
Do you recognize every single process on that list?
Last year I audited a client's VPS.
"It's just Nginx and MySQL," they said.
The output told a different story:
— Port 3306 → MySQL open to the entire internet
— Port 6379 → Redis, zero authentication, fully exposed
— Port 8080 → a forgotten staging app still running
— Port 25 → SMTP open, server was a spam relay
Four open doors. Six months undetected.
The Redis exposure alone could have wiped their database in seconds.
How to read the output:
0.0.0.0 = accessible from ANY IP on the internet
127.0.0.1 = localhost only, safe
The most dangerous line you can see:
tcp 0.0.0.0:3306 LISTEN mysqld
Your database. Open to the world. Just one password away from disaster.
4 commands for a complete audit:
See every open port:
sudo netstat -tulpn
See who is connected right now:
sudo netstat -tnp | grep ESTABLISHED
Find which process owns a port:
sudo netstat -tlnp | grep :3306
Top 10 IPs currently hitting your server:
sudo netstat -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10
If MySQL is exposed — fix it now:
/etc/mysql/mysql.conf.d/mysqld.cnf
bind-address = 127.0.0.1
sudo systemctl restart mysql
If Redis is exposed:
/etc/redis/redis.conf
bind 127.0.0.1
requirepass YourStrongPassword
sudo systemctl restart redis
My rule on every server I manage:
If I cannot explain why a port is open — I close it.
Every open port is an attack surface.
Every forgotten service is a liability.
Every exposed database is a breach waiting to happen.
This command takes 3 seconds to run.
Most people have never run it once.
Run it right now.
Did you find anything unexpected?
Drop it in the comments — I respond to every single one.
Top comments (0)