port scan externally reveals open port, from inside those ports are closed

August 10, 2017 140 views
Networking Firewall DigitalOcean Security Ubuntu 16.04

port scanning the droplet internally (from the droplet) gives the expected

22/tcp   open  ssh
3128/tcp open  squid-http

but scanning remote from the host shows a discrepancy:

22/tcp   open     ssh
113/tcp  filtered ident
135/tcp  filtered msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
593/tcp  filtered http-rpc-epmap
3128/tcp open     squid-http

and within the span of several seconds, even more ports are filtered

Not shown: 955 closed ports, 41 filtered ports
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http

I have two questions. First and foremost:

  1. Why are ports 139 and 445 showing up as open when scanned externally? I tried commands like

    fuser -v -n tcp 445
    lsof -i
    netstat -a
    ps -ef | grep smbd

    in efforts to find the elusive processes listening on these ports, to no avail. I don't have mamba installed either. Could someone shed any light on this issue?

  2. Why are certain ports being filtered when scanning the droplet externally from host? I have no iptables or firewall rules set in place. Is this DigitalOcean performing filtering at the router?

2 Answers
jtittle MOD August 10, 2017
Accepted Answer


On Ubuntu, ufw isn't configured by default, thus any port could show up as open, filtered, etc. You'd need to configure the firewall specifically to suit your needs if you only want specific ports open.

Generally, what I recommend is doing a full reset, even if nothing has been configured. Working from a clean slate makes things easier.

Disable ufw (just to confirm)

ufw --force disable

Reset ufw

ufw --force reset

Configure ufw Default Incoming Policy

ufw default deny incoming

Configure ufw Default Outgoing Policy

ufw default allow outgoing

Once those settings are in place, you'd want to go about adding the ports that you want to allow in, starting with SSH first so you can connect.

ufw allow 22/tcp

From there, you'd allow the ports you need for service(s). For example, if we wanted HTTP/S, we'd add 80 and 443.

ufw allow 80/tcp
ufw allow 443/tcp

Unless you're using DNS or have a need for udp, most all ports will be tcp, including mail ports.

Once you've added all ports, you'd enable ufw.

ufw --force enable

That should take care of the mystery ports and provide you with a pretty solid foundation from which to work with.

Of course, you could just disable ufw altogether (first command) and use our Cloud Firewall service (which is 100% free, no added costs). You can then use it to set up similar policies and it's actually a bit easier to use.

@jtittle Thanks for this in depth answer. Having only used iptables, ufw is uncomplicated :) I also found some information out about my first question.

I ran the port scan on the droplet from a different host(using a VPN) and I got exactly what I expected, without 139/tcp or 445/tcp:

Not shown: 998 closed ports
22/tcp   open  ssh
3128/tcp open  squid-http

So the problem arises from the local network. I port scanned the original local network I was on and found this peculiar node:

Nmap scan report for
Host is up (0.010s latency).
Not shown: 998 closed ports
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

It seems as if this peculiar node at on the local network might be responding to the probes destined for the droplet? A tcpdump on the host during the scan seems to suggest otherwise; rather that it is in fact the droplet responding to the host's probes (shown below). BUT, a tcpdump simultaneously on the droplet shows no sign of contact from the host at all!

03:44:31.707523 IP host.51608 > droplet.netbios-ssn: Flags [S], seq 3969889920, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1121358442 ecr 0,sackOK,eol], length 0
03:44:31.711837 IP droplet.netbios-ssn > host.51608: Flags [S.], seq 2457449710, ack 3969889921, win 14480, options [mss 1460,sackOK,TS val 36443520 ecr 1121358442,nop,wscale 5], length 0
03:44:31.711870 IP host.51608 > droplet.netbios-ssn: Flags [.], ack 1, win 4117, options [nop,nop,TS val 1121358446 ecr 36443520], length 0
03:44:31.711995 IP host.51608 > droplet.netbios-ssn: Flags [R.], seq 1, ack 1, win 4117, length 0

I am confused. How is the hosts port scan "tricked" into thinking the droplet is responding?

EDIT: more info about this peculiar host

$ smbutil status
Using IP address of
Workgroup: HITRON
Have another answer? Share your knowledge.