By drs5ma
port scanning the droplet internally (from the droplet) gives the expected
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
but scanning remote from the host shows a discrepancy:
PORT STATE SERVICE
22/tcp open ssh
113/tcp filtered ident
135/tcp filtered msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
593/tcp filtered http-rpc-epmap
3128/tcp open squid-http
and within the span of several seconds, even more ports are filtered
Not shown: 955 closed ports, 41 filtered ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
I have two questions. First and foremost:
- Why are ports 139 and 445 showing up as open when scanned externally? I tried commands like
fuser -v -n tcp 445
lsof -i
netstat -a
ps -ef | grep smbd
in efforts to find the elusive processes listening on these ports, to no avail. I don’t have mamba installed either. Could someone shed any light on this issue?
- Why are certain ports being filtered when scanning the droplet externally from host? I have no iptables or firewall rules set in place. Is this DigitalOcean performing filtering at the router?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
On Ubuntu, ufw isn’t configured by default, thus any port could show up as open, filtered, etc. You’d need to configure the firewall specifically to suit your needs if you only want specific ports open.
Generally, what I recommend is doing a full reset, even if nothing has been configured. Working from a clean slate makes things easier.
Disable ufw (just to confirm)
ufw --force disable
Reset ufw
ufw --force reset
Configure ufw Default Incoming Policy
ufw default deny incoming
Configure ufw Default Outgoing Policy
ufw default allow outgoing
Once those settings are in place, you’d want to go about adding the ports that you want to allow in, starting with SSH first so you can connect.
ufw allow 22/tcp
From there, you’d allow the ports you need for service(s). For example, if we wanted HTTP/S, we’d add 80 and 443.
ufw allow 80/tcp
ufw allow 443/tcp
Unless you’re using DNS or have a need for udp, most all ports will be tcp, including mail ports.
Once you’ve added all ports, you’d enable ufw.
ufw --force enable
That should take care of the mystery ports and provide you with a pretty solid foundation from which to work with.
Of course, you could just disable ufw altogether (first command) and use our Cloud Firewall service (which is 100% free, no added costs). You can then use it to set up similar policies and it’s actually a bit easier to use.
@jtittle Thanks for this in depth answer. Having only used iptables, ufw is uncomplicated :) I also found some information out about my first question.
I ran the port scan on the droplet from a different host(using a VPN) and I got exactly what I expected, without 139/tcp or 445/tcp:
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
So the problem arises from the local network. I port scanned the original local network I was on and found this peculiar node:
Nmap scan report for 192.168.44.254
Host is up (0.010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
It seems as if this peculiar node at 192.168.44.254 on the local network might be responding to the probes destined for the droplet? A tcpdump on the host during the scan seems to suggest otherwise; rather that it is in fact the droplet responding to the host’s probes (shown below). BUT, a tcpdump simultaneously on the droplet shows no sign of contact from the host at all!
03:44:31.707523 IP host.51608 > droplet.netbios-ssn: Flags [S], seq 3969889920, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1121358442 ecr 0,sackOK,eol], length 0
03:44:31.711837 IP droplet.netbios-ssn > host.51608: Flags [S.], seq 2457449710, ack 3969889921, win 14480, options [mss 1460,sackOK,TS val 36443520 ecr 1121358442,nop,wscale 5], length 0
03:44:31.711870 IP host.51608 > droplet.netbios-ssn: Flags [.], ack 1, win 4117, options [nop,nop,TS val 1121358446 ecr 36443520], length 0
03:44:31.711995 IP host.51608 > droplet.netbios-ssn: Flags [R.], seq 1, ack 1, win 4117, length 0
I am confused. How is the hosts port scan “tricked” into thinking the droplet is responding?
EDIT: more info about this peculiar host
$ smbutil status 192.168.44.254
Using IP address of 192.168.44.254: 192.168.44.254
Workgroup: HITRON
Server: INTEL_CE_LINUX
i have the same problem here.
I run a Linux Droplet with only port 22 open! But when i scan the droplet nmap says:
PORT STATE SERVICE 22/tcp open ssh 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds
but “lsof -i TCP:135” from inside shows nothing.
i guess they just filter those ports for all droplets at the gateway.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.