nmap on my webserver shows TCP ports 554 and 7070 open

security debian port

I have a webserver that hosts various websites for me. The two services that are accessible outside are SSH and Apache2. These are running on a non-standard and standard port, respectively. All other ports are closed explicitly via arno-iptables-firewall. The host is running Debian Testing.

I noticed that a scan of the host using nmap produced different results from different PCs. From my laptop on my home network (behind a BT Homehub), I get the following:

Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
554/tcp  open  rtsp
7070/tcp open  realserver
9000/tcp open  cslistener

whereas scanning from a US-based server with nmap 5.00 and a Linux box in Norway running nmap 5.21 I get the following:

Not shown: 998 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
9000/tcp open  cslistener

so I hope it's my internal network or ISP that's playing up, but I cannot be sure.

Running a netstat -l | grep 7070 produces nothing. Similarly for port 554.

Can anyone explain the peculiarities I'm seeing?


This is most likely something in the line, those 2 ports (554/7070) are for realplayers RealServers.

http://service.real.com/firewall/adminfw.html


I'd be inclined to blame your ISP or something between you and your server for this. If you just want to reassure yourself that those ports really are closed, you could try to listen on those ports and if it succeeds then it's safe to assume there's nothing already listening. Here's what I'm doing on my machine (which has Apache on port 80, and nothing on port 81):

$ sudo netcat -p 80 -l --wait 1    # Apache on port 80
Error: Couldn't setup listening socket (err=-3)
$ sudo netcat -p 81 -l --wait 1    # Nothing on port 81
(Ctrl-C)

EDIT: And to be sure that this really has worked, telnet to it from another box and check that netcat is receiving what you send (you'll probably want to increase the --wait timeout).


Your router is probably to blame. I was just wondering if this was an issue with being on an OpenVZ host, and found this article: Are ports 21, 554, and 7070 open or closed? The answer is yes.

This makes sense for me, as I'm currently on a crappy FiOS Actiontec router. Any combination of nmap and netcat testing on the container and host node confirms that those ports are not really open.


Various different routers (Verizon FiOS, BT Home Hub, Apple Airport Extreme, ...) show ports 554 and 7070 as open for all IPs for some reason.

Hackerific » False positive TCP ports!

Related

Run OPTIMIZE TABLE to defragment tables for better performance
What is the sequence of Windows RPC ports 135, 137, 139 (and higher ports)? What changes with Port 145?
apache2ctl: 87: ulimit: error setting limit (Operation not permitted)
Securing a rack in a shared server room
Can I move a ZFS pool to another computer?
In postfix, how to enforce tls + auth over 587 while leaving tls optional for 25
Why store Apache SSL certificate and private key in separate files?
How to use unison to sync files in ext4 filesystem with FAT filesystem? (permission bit)
windows server (standard) licence more than 16 cores. How it works?
LUKS Encrypted USB on macOS
How to see a list of all pages in Visio 2010?
How do I use the Hand Tool as default in Adobe Reader?