3

When I execute "nmap -sT -O localhost" per the Centos 5 deployment guide, I get:

Not shown: 1677 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

which makes sense. But when I execute "sudo nmap -sT -O -Pn my.ip.address" from another machine, I get:

Not shown: 917 filtered ports
PORT      STATE  SERVICE
7/tcp     open   echo
21/tcp    open   ftp
22/tcp    open   ssh
70/tcp    open   gopher
83/tcp    open   mit-ml-dev
139/tcp   closed netbios-ssn
306/tcp   open   unknown
366/tcp   open   odmr
445/tcp   closed microsoft-ds
465/tcp   open   smtps
513/tcp   open   login
541/tcp   open   uucp-rlogin
554/tcp   open   rtsp
700/tcp   open   epp
705/tcp   open   agentx
901/tcp   open   samba-swat
992/tcp   open   telnets
1002/tcp  open   windows-icfw
1010/tcp  open   surf
1027/tcp  open   IIS
1059/tcp  open   nimreg
1094/tcp  open   rootd
1108/tcp  open   ratio-adp
1113/tcp  open   ltp-deepspace
1151/tcp  open   unizensus
1152/tcp  open   winpoplanmess
1443/tcp  open   ies-lm
1455/tcp  open   esl-lm
1494/tcp  open   citrix-ica
1717/tcp  open   fj-hdnet
1783/tcp  open   unknown
2323/tcp  open   3d-nfsd
2394/tcp  open   ms-olap2
2492/tcp  open   groove
2557/tcp  open   nicetec-mgmt
2604/tcp  open   ospfd
2701/tcp  open   sms-rcinfo
3128/tcp  open   squid-http
3260/tcp  open   iscsi
3283/tcp  open   netassistant
3390/tcp  open   dsc
3766/tcp  open   unknown
3998/tcp  open   dnx
4002/tcp  open   mlchat-proxy
5050/tcp  open   mmcc
5120/tcp  open   unknown
5190/tcp  open   aol
5550/tcp  open   sdadmind
5631/tcp  open   pcanywheredata
5815/tcp  open   unknown
5822/tcp  open   unknown
5922/tcp  open   unknown
6692/tcp  open   unknown
6901/tcp  open   jetstream
7019/tcp  open   unknown
7070/tcp  open   realserver
7435/tcp  open   unknown
7938/tcp  open   lgtomapper
8002/tcp  open   teradataordbms
8010/tcp  open   xmpp
8085/tcp  open   unknown
8194/tcp  open   sophos
8254/tcp  open   unknown
8300/tcp  open   tmi
9002/tcp  open   dynamid
9594/tcp  open   msgsys
9929/tcp  open   nping-echo
10025/tcp open   unknown
10243/tcp open   unknown
10626/tcp open   unknown
10778/tcp open   unknown
12174/tcp open   unknown
16012/tcp open   unknown
18101/tcp open   unknown
20000/tcp open   dnp
20005/tcp open   btx
24800/tcp open   unknown
32768/tcp open   filenet-tms
32777/tcp open   sometimes-rpc17
32783/tcp open   unknown
50001/tcp open   unknown
50500/tcp open   unknown
54328/tcp open   unknown

Huh!? The strangest thing is that some ports that are not allowed through the firewall are closed (like netbios-ssn) and others are open (ftp). In fact, the ftp service is not even installed on my machine.

My ipTable looks like this:

Chain INPUT (policy DROP 531K packets, 178M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6907  339K ACCEPT     all  --  lo     any     anywhere             anywhere            
 115K   27M ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
42398   45M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 164K packets, 30M bytes)
 pkts bytes target     prot opt in     out     source               destination

UPDATE: my real question is - can I assume that, since the local nmap only shows three services listening, that I don't have to worry about all the extra entries returned by the remote nmap? IOW, can there be other processes listening that were not reported by the local nmap?

Sean DeNigris
  • 133
  • 1
  • 5
  • 1
    Is there a firewall between the two devices when you do the remote scan? – Shane Madden Jun 08 '11 at 18:27
  • Yes, some "clever" routers may spoof security holes. – HUB Jun 08 '11 at 18:29
  • I'm sending the remote command from a Mac which has a firewall, my LAN's internet connection passes through an Airport Express, and the nmapped box has the iptables settings I listed above. But my real question is - can I assume that, since the local nmap only shows three services listening, that I don't have to worry about all the extra entries returned by the remote nmap? – Sean DeNigris Jun 08 '11 at 18:35

1 Answers1

2

Programs can bind to localhost and not the external interface, or the other way around. The external view is the more accurate one (assuming there's nothing in the middle doing something clever).

Can you, from that other machine, connect to any of those other ports?

You can also use lsof -i -n -P | grep LIST to see what processes are listening on ports on your machine. See if the results of that correlate better with either nmap output.

Bill Weiss
  • 10,979
  • 3
  • 38
  • 66
  • lsof shows the same result as the internal nmap (only ssh, apache, and the service as 8080). – Sean DeNigris Jun 08 '11 at 20:14
  • But given my iptables rules, which only allow new connections on localhost and 22 for ssh, how could any of these ports really be open? – Sean DeNigris Jun 08 '11 at 20:18
  • Well, the bad news possibility is that your machine is compromised and now lies to you about what you have open. Another likely possibility is that you have some goofy firewall/router thing between your machines which mangles the nmap output. Since you're using `-sT`, however, that means that nmap _thinks_ it has made a connection to each of those ports. – Bill Weiss Jun 08 '11 at 20:29
  • +1: Programs can bind to 127.0.0.1 or 192.168.1.2, or both, or neither. If you nmap 127.0.0.1, and then nmap 192.168.1.2 those are totally different animals, even if both addresses belong to the same machine. – Satanicpuppy Jun 08 '11 at 21:36
  • So if my iptables are configured correctly to drop everything except ssh (22) and apache (80) packets, can I ignore the extra nmap results? I.e. nothing can get around the iptables rules, right? – Sean DeNigris Jun 10 '11 at 13:17
  • If you're confident your machine isn't compromised, sure. I'd look until you can point at a thing on your network that causes these results. – Bill Weiss Jun 30 '11 at 19:32