[CentOS] nmap showing lots of ports open that shouldn't be

Sun Feb 12 23:03:41 UTC 2006
Jim Bassett <jim at datamantic.com>

On Feb 12, 2006, at 5:15 PM, Scot L. Harris wrote:

> On Sun, 2006-02-12 at 17:09 -0500, Jim Bassett wrote:
>> On Feb 12, 2006, at 4:56 PM, Steve Bergman wrote:
>>
>>> Jim Bassett wrote:
>>>
>>>>
>>>> Is it over reacting to pull the plug and start over?
>>>
>>>
>>> Silly question.  You are certain that the machine you are probing
>>> is your machine, right?  The ip address of you cable modem hasn't
>>> changed without you knowing it, etc?  (I've done sillier things,
>>> which is why I ask.)
>>>
>>> It's odd that smtp shows to be open, e.g.  Even without the
>>> firewall, isn't sendmail configured only to listen on 127.0.0.1?
>>>
>>> -Steve
>>
>> I've done sillier things in the past. But I am probing the right
>> machine. It is colocated on a static IP. I just ran it again.
>>
>> The machine I am using to run nmap is connected to the net through a
>> friends base station and I don't know anything about his setup. But I
>> can successfully surf, send mail, and ssh into my server. Is there
>> any chance that even though I am specifying my server IP in nmap that
>> it is instead scanning my friends machine on my local network?
>>
>> About smtp: I did just install a mail server, so I guess that is why
>> smtp is open. But I didn't explicitly open the port myself. I can see
>> in netstat that a bunch of stuff is open for mail (and spam assassin
>> and clamav.) Maybe that install messed with iptables?
>
> Another possibility:  Is there a firewall or server in front of the
> machine you think you are scanning?   Is the IP address you are  
> scanning
> configured directly on that machine or are you using a NATed address?
>
> Have seen cases before where a machine in an ISP would report odd  
> ports
> open but that was on the ISPs firewall that sits in front of the  
> actual
> machine.
>
> But based on the iptables rules you posted it looks like the order of
> the rules is the problem.  The first two rules allow everything  
> through.
> Check the contents of /etc/sysconfig/iptables, that is where the rules
> should be saved.
>
>

The machine is in a colocation facility. I'm not sure exactly what  
that means in terms of firewalls. The IP address is configured  
directly on the machine.

I am beginning to think you are right and the nmap results I am  
seeing are not really for the IP address I am attempting to scan. I  
tried it against another server that I know is locked down and it  
reported tons of open ports (although not exactly the same ones as on  
the machine in question here.)

What is the canonical way to get a list of all open ports from the  
command line? Or maybe it's not so straightforward?

Someone else suggested running netstat -a | grep LISTEN, and that  
indeed shows only services I would expect.

I understand that iptables is very powerful, and therefore not the  
easiest tool to use. But I would guess that the setup I want is  
pretty standard. I've found a bunch of info in google and I am  
digging in, but are there some iptables cookbook type recipes for a  
basic web/mail/dns server anyone could point me to?

Thanks for all the replies.