si
By:
si

Ports 554 and 7070

September 14, 2013 6.7k views
Hiya, I was doing a port scan on my Droplet (as you do), and I noticed ports 554 and 7070 were open. I assumed they were part of some management interface thing, but I thought it best to make sure. Plus I'm mildly curious :P
8 Answers
OK, ignore me. I think it's something hiding on my network that's interfering.

I think you'll all find that you've got a Verizon FiOS router (or perhaps others, too) between you and the destination. I just ran into this, and I can telnet *:7070 and *:554 and get a connection, which would seem to imply that the router is intercepting traffic on those ports. Commodity hardware, baby.

Running the port scan from a remote machine does not yield these results.

554 is usually a RTSP port, and 7070 is often used by RealAudio. Do you have any video streaming service enabled in any running applications?



Nope. And even if I did, in theory my IPTables would block it.
And here's a copy of said rules:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [159:18184]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
Actually, I've noticed those ports are open on other peoples' Droplets as well.

I'm reviving in this old thread because I'm seeing a similar quirk and wish to know whats going on. Interestingly, these ports do not get shown as open when i scan from the DO machine itself to either it's localhost or public interfaces.

[ *** From My Laptop *** ]

me@MyLaptop:~$ nmap -sV <My_DO_Server_HostName>

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-02 19:27 PST
Nmap scan report for <My_DO_Server_HostName> (<My_DO_Server_IP>)
Host is up (0.046s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
554/tcp open tcpwrapped
7070/tcp open tcpwrapped

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds
me@MyLaptopr:~$ nc -v <My_DO_Server_HostName> 21
Connection to <My_DO_Server_HostName> 21 port [tcp/ftp] succeeded!
me@MyLaptop:~$ nc -v <My_DO_Server_HostName> 554
Connection to <My_DO_Server_HostName> 554 port [tcp/rtsp] succeeded!
me@MyLaptop:~$ nc -v <My_DO_Server_HostName> 7070
Connection to <My_DO_Server_HostName> 7070 port [tcp/arcp] succeeded!

[ *** On DO VM *** ]
me@MyDOVM:~$ sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:<sshd port> 0.0.0.0:* LISTEN 4655/sshd
tcp 0 384 <DO VM IP>:<sshd port> <Laptop IP>:40251 ESTABLISHED 1391/sshd: <My user>
tcp6 0 0 :::<sshd port> :::* LISTEN 4655/sshd

Regards :)

I'm afraid I don't have an explanation for this, but I've noticed the behaviour as well. I think that DigitalOcean perhaps catches this traffic before it reaches the VM for whatever reason.

Edit: Upon further investigation, I've found that it may well be interference between us and the datacentres hosting our droplets. In several other threads people place the blame on the ISP, which seems like a reasonable assumption to me.

Various different routers (Verizon FiOS, BT Home Hub, Apple Airport Extreme, ...) show ports 554 and 7070 as open for all IPs for some reason.

Hackerific » False positive TCP ports!

Have another answer? Share your knowledge.