port scanning the droplet internally (from the droplet) gives the expected
PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http
but scanning remote from the host shows a discrepancy:
PORT STATE SERVICE 22/tcp open ssh 113/tcp filtered ident 135/tcp filtered msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 593/tcp filtered http-rpc-epmap 3128/tcp open squid-http
and within the span of several seconds, even more ports are filtered
Not shown: 955 closed ports, 41 filtered ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3128/tcp open squid-http
I have two questions. First and foremost:
fuser -v -n tcp 445 lsof -i netstat -a ps -ef | grep smbd
in efforts to find the elusive processes listening on these ports, to no avail. I don’t have mamba installed either. Could someone shed any light on this issue?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $200 of credit to try our products over 60 days!
ufwisn’t configured by default, thus any port could show up as open, filtered, etc. You’d need to configure the firewall specifically to suit your needs if you only want specific ports open.
Generally, what I recommend is doing a full reset, even if nothing has been configured. Working from a clean slate makes things easier.
ufw(just to confirm)
ufwDefault Incoming Policy
ufwDefault Outgoing Policy
Once those settings are in place, you’d want to go about adding the ports that you want to allow in, starting with SSH first so you can connect.
From there, you’d allow the ports you need for service(s). For example, if we wanted HTTP/S, we’d add 80 and 443.
Unless you’re using DNS or have a need for
udp, most all ports will be
tcp, including mail ports.
Once you’ve added all ports, you’d enable
That should take care of the mystery ports and provide you with a pretty solid foundation from which to work with.
Of course, you could just disable
ufwaltogether (first command) and use our Cloud Firewall service (which is 100% free, no added costs). You can then use it to set up similar policies and it’s actually a bit easier to use.
i have the same problem here.
I run a Linux Droplet with only port 22 open! But when i scan the droplet nmap says:
PORT STATE SERVICE 22/tcp open ssh 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds
but “lsof -i TCP:135” from inside shows nothing.
i guess they just filter those ports for all droplets at the gateway.
@jtittle Thanks for this in depth answer. Having only used iptables, ufw is uncomplicated :) I also found some information out about my first question.
I ran the port scan on the droplet from a different host(using a VPN) and I got exactly what I expected, without 139/tcp or 445/tcp:
So the problem arises from the local network. I port scanned the original local network I was on and found this peculiar node:
It seems as if this peculiar node at 192.168.44.254 on the local network might be responding to the probes destined for the droplet? A tcpdump on the host during the scan seems to suggest otherwise; rather that it is in fact the droplet responding to the host’s probes (shown below). BUT, a tcpdump simultaneously on the droplet shows no sign of contact from the host at all!
I am confused. How is the hosts port scan “tricked” into thinking the droplet is responding?
EDIT: more info about this peculiar host