I think you’ll all find that you’ve got a Verizon FiOS router (or perhaps others, too) between you and the destination. I just ran into this, and I can telnet *:7070 and *:554 and get a connection, which would seem to imply that the router is intercepting traffic on those ports. Commodity hardware, baby.
Running the port scan from a remote machine does not yield these results.
I’m reviving in this old thread because I’m seeing a similar quirk and wish to know whats going on. Interestingly, these ports do not get shown as open when i scan from the DO machine itself to either it’s localhost or public interfaces.
[ *** From My Laptop *** ]
me@MyLaptop:~$ nmap -sV <My_DO_Server_HostName>
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-02 19:27 PST
Nmap scan report for <My_DO_Server_HostName> (<My_DO_Server_IP>)
Host is up (0.046s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
554/tcp open tcpwrapped
7070/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds
me@MyLaptopr:~$ nc -v <My_DO_Server_HostName> 21
Connection to <My_DO_Server_HostName> 21 port [tcp/ftp] succeeded!
me@MyLaptop:~$ nc -v <My_DO_Server_HostName> 554
Connection to <My_DO_Server_HostName> 554 port [tcp/rtsp] succeeded!
me@MyLaptop:~$ nc -v <My_DO_Server_HostName> 7070
Connection to <My_DO_Server_HostName> 7070 port [tcp/arcp] succeeded!
[ *** On DO VM *** ]
me@MyDOVM:~$ sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:<sshd port> 0.0.0.0:* LISTEN 4655/sshd
tcp 0 384 <DO VM IP>:<sshd port> <Laptop IP>:40251 ESTABLISHED 1391/sshd: <My user>
tcp6 0 0 :::<sshd port> :::* LISTEN 4655/sshd
I’m afraid I don’t have an explanation for this, but I’ve noticed the behaviour as well. I think that DigitalOcean perhaps catches this traffic before it reaches the VM for whatever reason.
Edit: Upon further investigation, I’ve found that it may well be interference between us and the datacentres hosting our droplets. In several other threads people place the blame on the ISP, which seems like a reasonable assumption to me.