When I execute "nmap -sT -O localhost" per the Centos 5 deployment guide, I get:
Not shown: 1677 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
which makes sense. But when I execute "sudo nmap -sT -O -Pn my.ip.address" from another machine, I get:
Not shown: 917 filtered ports
PORT STATE SERVICE
7/tcp open echo
21/tcp open ftp
22/tcp open ssh
70/tcp open gopher
83/tcp open mit-ml-dev
139/tcp closed netbios-ssn
306/tcp open unknown
366/tcp open odmr
445/tcp closed microsoft-ds
465/tcp open smtps
513/tcp open login
541/tcp open uucp-rlogin
554/tcp open rtsp
700/tcp open epp
705/tcp open agentx
901/tcp open samba-swat
992/tcp open telnets
1002/tcp open windows-icfw
1010/tcp open surf
1027/tcp open IIS
1059/tcp open nimreg
1094/tcp open rootd
1108/tcp open ratio-adp
1113/tcp open ltp-deepspace
1151/tcp open unizensus
1152/tcp open winpoplanmess
1443/tcp open ies-lm
1455/tcp open esl-lm
1494/tcp open citrix-ica
1717/tcp open fj-hdnet
1783/tcp open unknown
2323/tcp open 3d-nfsd
2394/tcp open ms-olap2
2492/tcp open groove
2557/tcp open nicetec-mgmt
2604/tcp open ospfd
2701/tcp open sms-rcinfo
3128/tcp open squid-http
3260/tcp open iscsi
3283/tcp open netassistant
3390/tcp open dsc
3766/tcp open unknown
3998/tcp open dnx
4002/tcp open mlchat-proxy
5050/tcp open mmcc
5120/tcp open unknown
5190/tcp open aol
5550/tcp open sdadmind
5631/tcp open pcanywheredata
5815/tcp open unknown
5822/tcp open unknown
5922/tcp open unknown
6692/tcp open unknown
6901/tcp open jetstream
7019/tcp open unknown
7070/tcp open realserver
7435/tcp open unknown
7938/tcp open lgtomapper
8002/tcp open teradataordbms
8010/tcp open xmpp
8085/tcp open unknown
8194/tcp open sophos
8254/tcp open unknown
8300/tcp open tmi
9002/tcp open dynamid
9594/tcp open msgsys
9929/tcp open nping-echo
10025/tcp open unknown
10243/tcp open unknown
10626/tcp open unknown
10778/tcp open unknown
12174/tcp open unknown
16012/tcp open unknown
18101/tcp open unknown
20000/tcp open dnp
20005/tcp open btx
24800/tcp open unknown
32768/tcp open filenet-tms
32777/tcp open sometimes-rpc17
32783/tcp open unknown
50001/tcp open unknown
50500/tcp open unknown
54328/tcp open unknown
Huh!? The strangest thing is that some ports that are not allowed through the firewall are closed (like netbios-ssn) and others are open (ftp). In fact, the ftp service is not even installed on my machine.
My ipTable looks like this:
Chain INPUT (policy DROP 531K packets, 178M bytes)
pkts bytes target prot opt in out source destination
6907 339K ACCEPT all -- lo any anywhere anywhere
115K 27M ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
42398 45M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 164K packets, 30M bytes)
pkts bytes target prot opt in out source destination
UPDATE: my real question is – can I assume that, since the local nmap only shows three services listening, that I don't have to worry about all the extra entries returned by the remote nmap? IOW, can there be other processes listening that were not reported by the local nmap?
Best Answer
Programs can bind to localhost and not the external interface, or the other way around. The external view is the more accurate one (assuming there's nothing in the middle doing something clever).
Can you, from that other machine, connect to any of those other ports?
You can also use
lsof -i -n -P | grep LIST
to see what processes are listening on ports on your machine. See if the results of that correlate better with eithernmap
output.