NMAP: All ports open?


NMAP launched to TOS 5.1.8 shows filtered ports only: 25, 139, 445, 465, 587, 3306, 5432.
All other ports as open.
How is this possible?

Are you testing “from outside”, i.e. from a device in the internet and outside your LAN?

Of course, from the outside (from the internet).
I didn’t change anything in the firewall, factory default.

Okay, can you share your /etc/config/firewall and /etc/config/network… maybe somebody will figure out something… But this definitely isn’t a standard behavior.

This is weird :frowning:
The scan run from the computer gives the results as I wrote in the first post.
But scans run from online scanners (for example https://hackertarget.com/nmap-online-port-scanner/ or https://www.itexperst.at/online-portscanner-nmap or https://nmap.online) show ports closed or filtered (that is properly).

1 Like

VPN? Forgotten Wifi? DMZ?

This looks like a false positive.

Log in to your Turris Omnia via the CLI, and enter ss -tulpn | grep "listen". The output shows all listening services. Lines with or [::1] are local services without an open port. All services with or * should have open ports.

On my Turris, there are 22/tcp (SSH), 53/tcp (kresd DNS), 80/tcp (Lighttpd Webmanagement HTTP) and 443/tcp (Lighttpd Webmanagement via HTTPS).

One thing is having a running service listening on an open port, and the other is blocking access to the port from WAN. These are two separate things and I think what this thread is about is the latter…

1 Like

are you sure the others are open, not closed?

Nmap scan report for xxx (yyy)
Host is up (0.24s latency).
Not shown: 987 closed ports
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
179/tcp  filtered bgp
443/tcp  open     https
587/tcp  open     submission
646/tcp  filtered ldp
711/tcp  filtered cisco-tdp
2525/tcp open     ms-v-worlds

On my TO, this command gives the answer: Cannot open netlink socket: Protocol not supported

Yes - open.

But I noticed a strange behavior of nmap, or I don’t understand how it works:

Command: nmap -p 23 -Pn myIP or nmap -sT -p 23 -Pn myIP
23 / tcp open telnet

Command: nmap -sA -p 23 -Pn myIP
23 / tcp unfiltered telnet

Command: nmap -sF -p 23 -Pn myIP
23 / tcp open|filtered telnet

Is there anyone here who understands nmap well?

You can use this site, it is usually not too bad
The result of nmap are sometime weird for home network because operator use plenty of gateways.
You can give us your public IP, like this we can compare our result …

tcp/23 is apparently open because of sentinel honeypots, thus, port 23 is not valid for checking.

from nmap manual page

For example, a SYN scan considers no-response
           to indicate a filtered port, while a FIN scan treats the same as

I don’t have Sentinel running.
(because it wasn’t behaving steadily: dynfw_client didn’t start randomly).

This is not a good idea :wink:

In private Message of course :smile:
And I will give you mine, like this you can follow the logs.
But I fully understand, if your are not confortable with that …

it’s a turris, it should be safe.

what do you see when telnetting to port 23 from outside?

If you have a doubt, unplug your WAN access and put a laptop in it and restart your scan. And if you have open port try to use it. You can also plug a small hub on your WAN port like this you can scan your internet access in real time. Beware all the plug in this hub will be not protected by the firewall. And by the way what is the result of ShieldsUP! at https://www.grc.com ?

You give the IP to all “sites” you visit. I can’t see a significant risk, though you perhaps don’t want to post it publicly.

Well, if you’re in the middle of an investigation whether all your ports aren’t mistakenly open to the world, I think giving out the IP address is really not the best idea =)

1 Like