0

A Debian box is running web services on ports 80 and 443 and iptables is configured to allow web traffic only from white listed ip addresses.

A second Debian box (that is not white listed) is using nmap to run a port scan against the web server and is correctly showing that all ports are closed, however, the nmap scan results sometimes include the following:

sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, X.X.X.X, 16) => Operation not permitted
Offending packet: TCP X.X.X.X:53268 > X.X.X.X:443 S ttl=43 id=46849 iplen=44  seq=955188003 win=1024 <mss 1460>

Port 80 is never mentioned in the scan results -- only port 443.

Why is port 443 (but not port 80) being exposed to nmap?

Monica For CEO
  • 330
  • 1
  • 17

1 Answers1

3

This looks to actually be an issue that's occurring on your second Debian box when it attempts to send the packets in question, rather than it being anything to do with the box you're scanning.

Try disabling iptables/netfilter on the second box and see if that helps.

dbr
  • 1,852
  • 3
  • 23
  • 38
  • You were right, iptables on the second box included `iptables -t filter -A OUTPUT -m state --state INVALID -j DROP` and changing iptables to not drop these packets eliminated the message. So nmap by default seems to be sending invalid packets when scanning port 443 but not other ports. I'm curious, how did you interpret the (somewhat cyrptic) nmap message to diagnose the issue to the source of the scan? – Monica For CEO Apr 10 '15 at 01:18
  • 1
    That's a good question as it's not something I've seen before either. I had a suspicion based on the fact it looks like it's calling a function called sendto() which my dev experience suggests to me it's happening on the source. A bit of Googling and reading other people's discussions confirmed my suspicion. – dbr Apr 10 '15 at 09:31