Brohemian
By:
Brohemian

Why are these ports showing up with a nmap scan?

March 3, 2015 3k views

I just scanned my droplet with nmap:

What is this crap:

135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap

I didn't install anything on those ports. I've seen this before with other hosts I've used. My only guess is that it's Microsoft stuff, that is a common problem, and Digital Ocean is blocking it at the router?

5 comments
  • Can you provide a bit more information? What OS are you running on your droplet? Did you create it from a one-click image or a stock OS image?

  • It's just an Ubuntu droplet. The only think that should be open is 22 and 80.

  • I'm seeing the same thing on my Ubuntu 14.04 VM.

    nmap open port list is
    PORT STATE SERVICE
    22/tcp open ssh
    135/tcp filtered msrpc
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds

    sudo lsof shows only port 22 as LISTENING on the internet IP interface (eth0).

    Whats going on here?

  • I didn't notice the 'filtered' status until just now. Looks like DO is intentionally filtering these ports, which makes sense.

  • nmap -PN <host> (from workstation)
    21/tcp open ftp
    80/tcp open http
    110/tcp open pop3
    143/tcp open imap
    222/tcp open rsh-spx
    443/tcp open https
    993/tcp open imaps
    995/tcp open pop3s

    Should only be SSH (diff port), HTTP, HTTPS

    netstat -anltv | grep LISTEN (on CLI on localhost/server)

    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:222 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp6 0 0 :::222 :::* LISTEN

    Looks correct here. So, why are 993, 995, 143, 110 and scary 21 all showing open?

    Here's my firewall status

    ufw status

    Status: active

    To Action From


    222/tcp ALLOW Anywhere
    80/tcp ALLOW Anywhere
    Nginx Full ALLOW Anywhere
    21 DENY Anywhere
    993 DENY Anywhere
    995 DENY Anywhere
    143 DENY Anywhere
    110 DENY Anywhere

    That makes no difference to nmap output

    Can some one from DO explain please?

Be the first one to answer this question.