Su un server con Ubuntu 14.04.2 stavo facendo un controllo di sicurezza di base quando eseguivo il comando nmap -p -d 1-65535
come utente non root. È interessante notare che ha riportato pochi (1-5 alla volta, media, cambia ogni scansione) le porte alte aperte come "sconosciute". Preso alla sprovvista, ho controllato netstat e tutte le solite cose, niente sembrava sbagliato e le porte sconosciute non erano aperte. Ho eseguito la scansione come root e le porte fasulle non si sono MAI mostrate, non importa quante volte ho ripetuto la scansione.
Come test ho trasformato una macchina virtuale con una configurazione simile di servizi da una nuova installazione dell'ISO e anch'essa ha mostrato la stessa cosa, calmando le mie paure.
Ho anche effettuato una cattura dei pacchetti dell'interfaccia "lo" e l'unica cosa che ho potuto vedere su queste porte aperte "sconosciute" erano le sonde nmap come al solito.
Interessato solo al motivo per cui ciò accade. Sospetto che sia dovuto ai diversi metodi di scansione che nmap usa eseguendolo come utente non root.
Rilevante output di nmap
Scansione non root
: ha ridotto alcuni output per ridurre la lunghezza -
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-03 23:41 PST
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 23:41
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 23:41, 0.00s elapsed (1 total hosts)
Overall sending rates: 1986.10 packets / s.
mass_rdns: Using DNS server 8.8.8.8
mass_rdns: Using DNS server 8.8.4.4
Initiating Connect Scan at 23:41
Scanning localhost (127.0.0.1) [65535 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 35443/tcp on 127.0.0.1
Discovered open port 52296/tcp on 127.0.0.1
Discovered open port 9050/tcp on 127.0.0.1
Discovered open port 45478/tcp on 127.0.0.1
Completed Connect Scan at 23:41, 1.55s elapsed (65535 total ports)
Overall sending rates: 42381.38 packets / s.
Nmap scan report for localhost (127.0.0.1)
Host is up, received syn-ack (0.00034s latency).
Scanned at 2015-03-03 23:41:36 PST for 2s
Not shown: 65527 closed ports
Reason: 65527 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
9050/tcp open tor-socks syn-ack
35443/tcp open unknown syn-ack
45478/tcp open unknown syn-ack
52296/tcp open unknown syn-ack
Final times for host: srtt: 340 rttvar: 77 to: 100000
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Scansione root
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-03 23:43 PST
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 8.8.8.8
mass_rdns: Using DNS server 8.8.4.4
Initiating SYN Stealth Scan at 23:43
Scanning localhost (127.0.0.1) [65535 ports]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 127.0.0.1)))
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 9050/tcp on 127.0.0.1
Increased max_successful_tryno for 127.0.0.1 to 1 (packet drop)
Completed SYN Stealth Scan at 23:43, 6.86s elapsed (65535 total ports)
Overall sending rates: 9569.39 packets / s, 421053.03 bytes / s.
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.000014s latency).
Scanned at 2015-03-03 23:43:43 PST for 7s
Not shown: 65530 closed ports
Reason: 65530 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
9050/tcp open tor-socks syn-ack
Final times for host: srtt: 14 rttvar: 2 to: 100000
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
Raw packets sent: 65593 (2.886MB) | Rcvd: 131191 (5.510MB)