I tried to use -sS scan on two addresses. First on localhost and the second on my external ip. The thing is, I get different results which makes me confused. Based on my settings, the localhost results seem to be the correct one while the scan on the external ip is reporting that I have open ports even for apps/services that I don't even use. Is this something that can be a cause for alarm or something? Thanks in advance guys.

Just because you're not using the applications on those ports doesn't mean those ports aren't open. What is nmap showing as open? Also, run netstat -tulnap to get a list or ports that are open.

I don't see the open ports as reported with nmap -sS using my external ip.

in external ip it says:

PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http

and i know i have shutdown those services . . .

however, this comes out when scan 127.0.0.1:

PORT STATE SERVICE
22/tcp open ssh
37/tcp open time
113/tcp open auth
631/tcp open ipp

and i believe that is more correct than the former. so, can anyone enlighten me further?

also when i do a netstat -tulnap none of those ports listed when i scan the external ip showed up.

For "open" read "accessable" or better: "unfiltered". Next to that nmap uses it's own number-to-port mapping similar to /etc/services and just like the services file it's a *static* mapping. So, to extract information and confirm, if a port is "open" and there is service bound to it, use the version scan option. BTW, scanning localhost uses loopback which usually is excluded from filtering in the firewall and so gives a skewed picture of what is accessable. Best way is to scan from a box that's not in your LAN or use on of the free online services.


netstat -tulnap
"a" vs "l"...