port scanning the droplet internally (from the droplet) gives the expected
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
but scanning remote from the host shows a discrepancy:
PORT STATE SERVICE
22/tcp open ssh
113/tcp filtered ident
135/tcp filtered msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
593/tcp filtered http-rpc-epmap
3128/tcp open squid-http
and within the span of several seconds, even more ports are filtered
Not shown: 955 closed ports, 41 filtered ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
I have two questions. First and foremost:
fuser -v -n tcp 445
lsof -i
netstat -a
ps -ef | grep smbd
in efforts to find the elusive processes listening on these ports, to no avail. I don’t have mamba installed either. Could someone shed any light on this issue?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
@drs5ma
On Ubuntu,
ufw
isn’t configured by default, thus any port could show up as open, filtered, etc. You’d need to configure the firewall specifically to suit your needs if you only want specific ports open.Generally, what I recommend is doing a full reset, even if nothing has been configured. Working from a clean slate makes things easier.
Disable
ufw
(just to confirm)Reset
ufw
Configure
ufw
Default Incoming PolicyConfigure
ufw
Default Outgoing PolicyOnce those settings are in place, you’d want to go about adding the ports that you want to allow in, starting with SSH first so you can connect.
From there, you’d allow the ports you need for service(s). For example, if we wanted HTTP/S, we’d add 80 and 443.
Unless you’re using DNS or have a need for
udp
, most all ports will betcp
, including mail ports.Once you’ve added all ports, you’d enable
ufw
.That should take care of the mystery ports and provide you with a pretty solid foundation from which to work with.
Of course, you could just disable
ufw
altogether (first command) and use our Cloud Firewall service (which is 100% free, no added costs). You can then use it to set up similar policies and it’s actually a bit easier to use.i have the same problem here.
I run a Linux Droplet with only port 22 open! But when i scan the droplet nmap says:
PORT STATE SERVICE 22/tcp open ssh 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds
but “lsof -i TCP:135” from inside shows nothing.
i guess they just filter those ports for all droplets at the gateway.
@jtittle Thanks for this in depth answer. Having only used iptables, ufw is uncomplicated :) I also found some information out about my first question.
I ran the port scan on the droplet from a different host(using a VPN) and I got exactly what I expected, without 139/tcp or 445/tcp:
So the problem arises from the local network. I port scanned the original local network I was on and found this peculiar node:
It seems as if this peculiar node at 192.168.44.254 on the local network might be responding to the probes destined for the droplet? A tcpdump on the host during the scan seems to suggest otherwise; rather that it is in fact the droplet responding to the host’s probes (shown below). BUT, a tcpdump simultaneously on the droplet shows no sign of contact from the host at all!
I am confused. How is the hosts port scan “tricked” into thinking the droplet is responding?
EDIT: more info about this peculiar host