ABOV Dev logo

ABOV

Contact Us

Got questions, inquiries, or opportunities for collaboration? We are just a message away!

Send An EmailUSA: +1 (818) 900-4322Armenia: +374 93 393345USA: 611 N Brand Blvd, Glendale, CA 91203Armenia: Sahmanadrutyan 8/1, Abovyan

Scan Router For Open Ports On Linux

Scanning your router for open ports can help you identify potential security risks and see what services are exposed to your network. This guide will show you how to safely scan your router and local network using the Linux command line and the powerful nmap tool, which is widely used for network exploration and security auditing.

IMPORTANT: Only scan networks that you own or have explicit permission to scan. Unauthorized network access may be illegal in your jurisdiction and could violate local computer abuse laws. This guide is intended for scanning your own home or business network.

Install nmap

Install nmap, if it's not already installed. On Debian/Ubuntu, you can do this with:

$ sudo apt update
$ sudo apt install nmap

If using a different Linux distribution, replace apt with your package manager, such as yum, dnf, or pacman.

Find Your Router's IP Address

Find the IP address of your router using the ip command to get the gateway address, which is usually the router's IP address:

$ ip route | grep default

Sample output:

default via 192.168.1.1 dev wlp170s0 proto dhcp src 192.168.1.100 metric 600

In this example, 192.168.1.1 is the router's IP address and 192.168.1.100 is the local machine's IP address.

Scan Your Router's Ports

Now that you have the router's IP address, you can use it to scan for open ports with nmap. Below are several common scanning scenarios.

NOTE: sudo is required because many nmap scans require root privileges to create raw network packets and access low-level socket operations.

Fast TCP Scan

To run a quick scan and see which TCP ports are open:

$ sudo nmap -sT 192.168.1.1

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:00 +00
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0083s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1900/tcp open  upnp
MAC Address: AA:BB:CC:DD:EE:FF (TP-Link Technologies)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

NOTE: By default, nmap scans approximately 1,000 of the most common TCP ports. Open ports indicate services running on the router. For example, 22/tcp is SSH and 80/tcp is HTTP.

Deep TCP Scan

If you want a more comprehensive (but slower) scan covering all 65,535 TCP ports:

$ sudo nmap -p- 192.168.1.1

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:10 +00
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0062s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1900/tcp open  upnp
MAC Address: AA:BB:CC:DD:EE:FF (TP-Link Technologies)

Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

NOTE: This scan takes longer (9.82 seconds vs 0.25 seconds) because it checks all 65,535 possible TCP ports instead of just the ~1,000 most common ones.

UDP Port Scan

UDP scans are slower but can reveal services like DNS and DHCP. To scan for open UDP ports:

$ sudo nmap -sU 192.168.1.1

WARNING: UDP scans can take a very long time (15+ minutes) because UDP is a connectionless protocol and nmap must wait for responses or timeouts.

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:40 +00
Stats: 0:03:25 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 21.59% done; ETC: 16:27 (0:12:28 remaining)
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0021s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT     STATE         SERVICE
53/udp   open          domain
67/udp   open|filtered dhcps
1900/udp open          upnp
MAC Address: AA:BB:CC:DD:EE:FF (TP-Link Technologies)

Nmap done: 1 IP address (1 host up) scanned in 1015.44 seconds

Scanning Entire Network

To discover all devices connected to your network, which performs a ping to detect active hosts:

$ sudo nmap -sn 192.168.1.1/24

NOTE: Older versions of nmap use -sP instead of -sn. Replace 192.168.1.1/24 with your network range if different.

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:20 +00
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0030s latency).
MAC Address: AA:BB:CC:DD:EE:FF (TP-Link Technologies)
Nmap scan report for 192.168.1.10
Host is up (0.077s latency).
MAC Address: BB:CC:DD:EE:FF:00 (Fujitsu Technology Solutions GmbH)
Nmap scan report for 192.168.1.20
Host is up (0.091s latency).
MAC Address: CC:DD:EE:FF:00:11 (Intel Corporate)
Nmap scan report for 192.168.1.30
Host is up (0.064s latency).
MAC Address: DD:EE:FF:00:00:22 (Unknown)
Nmap scan report for 192.168.1.40
Host is up (0.12s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.57 seconds

Scanning Specific Devices

Once you have the IP addresses of connected devices, you can scan each one individually:

$ sudo nmap -sT 192.168.1.20

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:30 +00
Nmap scan report for 192.168.1.20
Host is up (0.0031s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE
2869/tcp open  icslap
5357/tcp open  wsdapi
7070/tcp open  realserver
MAC Address: BB:CC:DD:EE:FF:00 (Fujitsu Technology Solutions GmbH)

Nmap done: 1 IP address (1 host up) scanned in 15.98 seconds

Detecting Service Version

To identify what software and versions are running on open ports (useful for finding outdated or vulnerable services):

$ sudo nmap -sV 192.168.1.1

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:15 +00
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0071s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     Dropbear sshd 2019.78 (protocol 2.0)
53/tcp   open  domain  dnsmasq 2.80
80/tcp   open  http    lighttpd 1.4.53
1900/tcp open  upnp    MiniUPnP 1.9 (UPnP 1.0)
MAC Address: AA:BB:CC:DD:EE:FF (TP-Link Technologies)

Nmap done: 1 IP address (1 host up) scanned in 8.34 seconds

Detecting Operating System

To attempt to identify the operating system running on your router:

$ sudo nmap -O 192.168.1.1

Sample output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 12:18 +00
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0055s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1900/tcp open  upnp
MAC Address: AA:BB:CC:DD:EE:FF (TP-Link Technologies)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

Controlling Scan Speed

You can control how aggressively nmap scans using timing templates (-T0 through -T5):

$ sudo nmap -T4 192.168.1.1  # Faster, more aggressive
$ sudo nmap -T2 192.168.1.1  # Slower, more stealthy
  • T0-T2 - slower scans, useful for avoiding detection or on unreliable networks
  • T3 - default timing (normal)
  • T4-T5 - faster scans, assumes you're on a fast and reliable network

Saving Scan Results

To save your scan results for later analysis:

$ sudo nmap -sV 192.168.1.1 -oN scan_results.txt   # plaintext output
$ sudo nmap -sV 192.168.1.1 -oX scan_results.xml   # XML output
$ sudo nmap -sV 192.168.1.1 -oG scan_results.grep  # grep-able output

Understanding The Results

Port Statuses

  • Open - port is open and actively accepting connections, a service is listening on this port
  • Closed - port is reachable (not blocked by a firewall), but no service is listening on it
  • Filtered - a firewall, router, or network device is blocking access to the port, nmap cannot determine if it's open or closed
  • Open / Filtered - cannot determine whether the port is open or filtered, common in UDP scans where no response is received

Common Ports & Services

Here are some commonly encountered ports and what they typically indicate:

PortProtocolServiceNotes
21TCPFTPFile transfer; often insecure
22TCPSSHSecure remote access
23TCPTelnetInsecure remote access; should be disabled
25TCPSMTPEmail server
53TCP/UDPDNSDomain name resolution
67/68UDPDHCPIP address assignment
80TCPHTTPWeb server (unencrypted)
443TCPHTTPSWeb server (encrypted)
445TCPSMBWindows file sharing
1900TCP/UDPUPnPUniversal Plug and Play
3389TCPRDPRemote Desktop Protocol
8080TCPHTTP-AltAlternative web server port

Warning Signs

Be concerned if you find:

  • FTP (port 21) open - consider using SFTP (SSH file transfer) instead
  • Telnet (port 23) open - this is an unencrypted protocol that should be replaced with SSH
  • SMB ports (445, 139) open to the internet - these should only be accessible on your local network
  • UPnP (port 1900) open - can be exploited; consider disabling if not needed
  • Unexpected database ports (3306, 5432, 27017) - databases should not be directly exposed
  • Old or vulnerable service versions - identified with -sV scans

Troubleshooting Common Issues

Permission Denied Errors

If you encounter "You do not have permission to perform this scan" error, make sure to use sudo:

$ sudo nmap -sS 192.168.1.1

Firewall Blocking

If your local firewall is blocking nmap, you may need to temporarily allow it:

$ sudo ufw allow out from any to 192.168.1.0/24  # UFW example

Router Not Responding to Pings

Some routers block ping probes. Use the -Pn flag to skip host discovery:

$ sudo nmap -Pn 192.168.1.1

Slow Scans

If scans are taking too long:

  • Use -T4 for faster scanning on reliable networks
  • Scan specific ports instead of all ports: nmap -p 22,80,443 192.168.1.1
  • Avoid UDP scans unless necessary (they're inherently slow)

No Results or "All Filtered"

This usually means:

  • A firewall is blocking the scan
  • The target device is not responding
  • You're scanning the wrong IP address

Try the -Pn flag and verify you have the correct IP address.

Security Best Practices

After scanning your network, take these steps to improve security:

Review Open Ports

  • Document all open ports and the services running on them
  • Research any unfamiliar services to understand what they do
  • Close any ports that aren't necessary for your network operations

Disable Unnecessary Services

  • Access your router's admin interface (usually at http://192.168.1.1)
  • Disable services you don't use (UPnP, remote management, FTP, Telnet)
  • Keep only essential services like DNS and DHCP enabled

Update Firmware Regularly

  • Enable automatic updates if available
  • Check your router manufacturer's website for firmware updates
  • Outdated firmware often contains known security vulnerabilities

Use Strong Authentication

  • Change default admin passwords to strong, unique passwords
  • Enable WPA3 encryption for wireless networks (or WPA2 if WPA3 isn't available)
  • Disable WPS (Wi-Fi Protected Setup) as it has known vulnerabilities

Configure Firewall Rules

  • Use your router's firewall to restrict access to administrative services
  • Block incoming connections on all ports unless specifically needed
  • Consider MAC address filtering for additional security

Regular Monitoring

  • Scan your network monthly to detect changes
  • Investigate any new open ports or devices immediately
  • Keep logs of your scans to track what's normal for your network

Segment Your Network

  • Limit communication between network segments
  • Use VLANs or guest networks to isolate IoT devices
  • Keep untrusted devices separate from computers with sensitive data

Further Reading & References

Nmap Documentation

Port Reference

Linux Networking

Network Security Fundamentals

Router Security