You should know that Windows XP (and probably other versions) has an internal wrapper for FTP connections (the purpose of this is to try to allow PORT command to complete successfully, even behind a firewall or a router).
This wrapper intercepts any connection to any host on port 21, so it can monitor it and try to open the incoming port of a PORT command issued by the client.
This wrapper also has a side effect: as it intercepts any connection to a port 21, it sends a signal that the connection has been established to the software, which will see the connection as established, but the connection is really established only to Windows's internal wrapper.
The wrapper then tries to open the connection to the real host, and if it timeouts, then it sends a signal to the software that the connection has been lost. The software will see the connection as lost.
Summing this up, the software believes a connection has been successfully established, then lost, but no real connection has been established.
So, in your case, what happens: you run nmap. Nmap tries to connect to your server on port 21. Windows's wrapper intercepts the connection. Nmap "thinks" it is connected to your server (but it's only connected to the wrapper), and reports the port as opened.
You can confirm this by typing in a command line:
ftp 4.3.2.1
You'll see:
C:>ftp 4.3.2.1
Connected to 4.3.2.1.
Connection closed by foreign host.
You can try any valid IP, ftp will always connect, and disconnect shortly after, whereas it should report "Connection timed out".
I never saw any documentation about this. After many investigation, I discovered this strange behavior, and after more investigation, discovered why it is here.
Well, the conclusion of this (big) answer is that the port 21 of your server is definitely closed, as netstat reports, and nmap is fooled by this behaviour.
Best Answer
In depsite of people got used to
netstat
for such kind of operations, it's good to know, that Linux has another great (and, actually superior) networking tool —ss
. For e. g., to find out which process has opened port 80 you run it so:sudo ss -pt state listening 'sport = :80'
so there's no need to pipe through external filters. Surely it has lots more useful knobs, so get yourself familiar with it.
For completeness sake and since recently I came across
man fuser
, I can also mention:sudo fuser 80/tcp
— this one also saves you from tinkering atcut
/grep
/awk
… keep in mind this notation is a short-cut, in case there's an ambiguity, you should use one of namespaces allowed with-n …
, likesudo fuser -n tcp 80
sudo lsof -n -sTCP:LISTEN -i:80
— was pointed out by @wallenborn. Meanwhile-n
is not strictly required it's strongly advised since otherwise it uses DNS resolving which usualy slows down output terribly.