Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-31-2006, 11:43 PM   #1
Registered: Dec 2005
Distribution: Slackware, SLAX, Redhat, Fedora
Posts: 133

Rep: Reputation: 15
Question Different nmap results

I tried to use -sS scan on two addresses. First on localhost and the second on my external ip. The thing is, I get different results which makes me confused. Based on my settings, the localhost results seem to be the correct one while the scan on the external ip is reporting that I have open ports even for apps/services that I don't even use. Is this something that can be a cause for alarm or something? Thanks in advance guys.
Old 06-01-2006, 01:52 AM   #2
Registered: Jan 2004
Location: /lost+found
Distribution: Slack`er-current
Posts: 845

Rep: Reputation: 32
Just because you're not using the applications on those ports doesn't mean those ports aren't open. What is nmap showing as open? Also, run netstat -tulnap to get a list or ports that are open.
Old 06-01-2006, 04:43 AM   #3
Registered: Dec 2005
Distribution: Slackware, SLAX, Redhat, Fedora
Posts: 133

Original Poster
Rep: Reputation: 15
I don't see the open ports as reported with nmap -sS using my external ip.

in external ip it says:

21/tcp open ftp
23/tcp open telnet
80/tcp open http

and i know i have shutdown those services . . .

however, this comes out when scan

22/tcp open ssh
37/tcp open time
113/tcp open auth
631/tcp open ipp

and i believe that is more correct than the former. so, can anyone enlighten me further?

also when i do a netstat -tulnap none of those ports listed when i scan the external ip showed up.
Old 06-01-2006, 08:22 AM   #4
Registered: May 2001
Posts: 28,826
Blog Entries: 55

Rep: Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341Reputation: 3341
For "open" read "accessable" or better: "unfiltered". Next to that nmap uses it's own number-to-port mapping similar to /etc/services and just like the services file it's a *static* mapping. So, to extract information and confirm, if a port is "open" and there is service bound to it, use the version scan option. BTW, scanning localhost uses loopback which usually is excluded from filtering in the firewall and so gives a skewed picture of what is accessable. Best way is to scan from a box that's not in your LAN or use on of the free online services.

netstat -tulnap
"a" vs "l"...



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap results not correct? bobwall Linux - Networking 1 05-27-2005 03:31 AM
please help me,i m desperate.nmap results el3ctronic Linux - Security 4 03-01-2005 10:24 AM
nmap scan results ! dimgr Linux - Security 3 01-21-2005 12:39 PM
nmap results djcomplex Linux - Software 3 03-20-2004 01:46 PM
nmap results richlawson Linux - Security 6 12-16-2003 03:26 PM

All times are GMT -5. The time now is 01:36 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration