Ports 554 and 7070

Question

Hiya, I was doing a port scan on my Droplet (as you do), and I noticed ports 554 and 7070 were open.I assumed they were part of some management interface thing, but I thought it best to make sure. Plus I’m mildly curious :P

peter621086 · Answer

I think you’ll all find that you’ve got a Verizon FiOS router (or perhaps others, too) between you and the destination. I just ran into this, and I can telnet *:7070 and *:554 and get a connection, which would seem to imply that the router is intercepting traffic on those ports. Commodity hardware, baby.

Running the port scan from a remote machine does not yield these results.

si · Answer

OK, ignore me. I think it’s something hiding on my network that’s interfering.

ZazB · Answer

Various different routers (Verizon FiOS, BT Home Hub, Apple Airport Extreme, …) show ports 554 and 7070 as open for all IPs for some reason. Hackerific » False positive TCP ports!

Blieque Mariguan · Answer

I’m afraid I don’t have an explanation for this, but I’ve noticed the behaviour as well. I think that DigitalOcean perhaps catches this traffic before it reaches the VM for whatever reason.

Edit: Upon further investigation, I’ve found that it may well be interference between us and the datacentres hosting our droplets. In several other threads people place the blame on the ISP, which seems like a reasonable assumption to me.

mark938341 · Answer

I’m reviving in this old thread because I’m seeing a similar quirk and wish to know whats going on. Interestingly, these ports do not get shown as open when i scan from the DO machine itself to either it’s localhost or public interfaces.

[ *** From My Laptop *** ]

me@MyLaptop:~$ nmap -sV <My_DO_Server_HostName>

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-02 19:27 PST Nmap scan report for <My_DO_Server_HostName> (<My_DO_Server_IP>) Host is up (0.046s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open tcpwrapped 554/tcp open tcpwrapped 7070/tcp open tcpwrapped

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds me@MyLaptopr:~$ nc -v <My_DO_Server_HostName> 21 Connection to <My_DO_Server_HostName> 21 port [tcp/ftp] succeeded! me@MyLaptop:~$ nc -v <My_DO_Server_HostName> 554 Connection to <My_DO_Server_HostName> 554 port [tcp/rtsp] succeeded! me@MyLaptop:~$ nc -v <My_DO_Server_HostName> 7070 Connection to <My_DO_Server_HostName> 7070 port [tcp/arcp] succeeded!

[ *** On DO VM *** ] me@My_DO_VM:~$ sudo netstat -plant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:<sshd port> 0.0.0.0:* LISTEN 4655/sshd tcp 0 384 <DO VM IP>:<sshd port> <Laptop IP>:40251 ESTABLISHED 1391/sshd: <My user> tcp6 0 0 :::<sshd port> :::* LISTEN 4655/sshd

Regards :)

si · Answer

Actually, I’ve noticed those ports are open on other peoples’ Droplets as well.

si · Answer

Nope. And even if I did, in theory my IPTables would block it.
And here’s a copy of said rules:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [159:18184]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Will Rowe · Answer

554 is usually a RTSP port, and 7070 is often used by RealAudio. Do you have any video streaming service enabled in any running applications?

Question

Ports 554 and 7070