Question
port scan externally reveals open port, from inside those ports are closed
- Posted August 10, 2017
- NetworkingFirewallDigitalOceanSecurityUbuntu 16.04
port scanning the droplet internally (from the droplet) gives the expected
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
but scanning remote from the host shows a discrepancy:
PORT STATE SERVICE
22/tcp open ssh
113/tcp filtered ident
135/tcp filtered msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
593/tcp filtered http-rpc-epmap
3128/tcp open squid-http
and within the span of several seconds, even more ports are filtered
Not shown: 955 closed ports, 41 filtered ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
I have two questions. First and foremost:
- Why are ports 139 and 445 showing up as open when scanned externally? I tried commands like
fuser -v -n tcp 445
lsof -i
netstat -a
ps -ef | grep smbd
in efforts to find the elusive processes listening on these ports, to no avail. I don’t have mamba installed either. Could someone shed any light on this issue?
- Why are certain ports being filtered when scanning the droplet externally from host? I have no iptables or firewall rules set in place. Is this DigitalOcean performing filtering at the router?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
On Ubuntu, ufw isn’t configured by default, thus any port could show up as open, filtered, etc. You’d need to configure the firewall specifically to suit your needs if you only want specific ports open.
Generally, what I recommend is doing a full reset, even if nothing has been configured. Working from a clean slate makes things easier.
Disable ufw (just to confirm)
ufw --force disable
Reset ufw
ufw --force reset
Configure ufw Default Incoming Policy
ufw default deny incoming
Configure ufw Default Outgoing Policy
ufw default allow outgoing
Once those settings are in place, you’d want to go about adding the ports that you want to allow in, starting with SSH first so you can connect.
ufw allow 22/tcp
From there, you’d allow the ports you need for service(s). For example, if we wanted HTTP/S, we’d add 80 and 443.
ufw allow 80/tcp
ufw allow 443/tcp
Unless you’re using DNS or have a need for udp, most all ports will be tcp, including mail ports.
Once you’ve added all ports, you’d enable ufw.
ufw --force enable
That should take care of the mystery ports and provide you with a pretty solid foundation from which to work with.
Of course, you could just disable ufw altogether (first command) and use our Cloud Firewall service (which is 100% free, no added costs). You can then use it to set up similar policies and it’s actually a bit easier to use.
i have the same problem here.
I run a Linux Droplet with only port 22 open! But when i scan the droplet nmap says:
PORT STATE SERVICE 22/tcp open ssh 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds
but “lsof -i TCP:135” from inside shows nothing.
i guess they just filter those ports for all droplets at the gateway.
@jtittle Thanks for this in depth answer. Having only used iptables, ufw is uncomplicated :) I also found some information out about my first question.
I ran the port scan on the droplet from a different host(using a VPN) and I got exactly what I expected, without 139/tcp or 445/tcp:
So the problem arises from the local network. I port scanned the original local network I was on and found this peculiar node:
It seems as if this peculiar node at 192.168.44.254 on the local network might be responding to the probes destined for the droplet? A tcpdump on the host during the scan seems to suggest otherwise; rather that it is in fact the droplet responding to the host’s probes (shown below). BUT, a tcpdump simultaneously on the droplet shows no sign of contact from the host at all!
I am confused. How is the hosts port scan “tricked” into thinking the droplet is responding?
EDIT: more info about this peculiar host