Are ports 21, 554, and 7070 open or closed? The answer is yes.
Perhaps you’re confused by the title, and if you are, you’re experiencing the same feeling I’ve had for the past day. Alas, I’ve spent way too much time figuring out why my server was seemingly a bizzaro-world example of up is down, down is up reality.
Well, the reality that is pales in comparison to the journey that was, so let’s briefly review the journey.
I was running security tests on my Rackspace Cloud Server after configuring the firewall, and the tests revealed that ports 21, 554, and 7070 were open. This was not the intention of my firewall, and although I had done a fair amount of reading on iptables over the past few months, I was starting to question my understanding of even basic configuration options.
Eventually, I chatted with tech support to make sure that I wasn’t missing a default configuration of their cloud servers, but to my surprise the tech’s tests of my server did not reveal that the ports were open. I was tired and wondering if I was imagining things, so I decided it was time to hit the hay.
The next morning, I immediately went back to the computer thinking the abnormal tendencies of my network would turn out to be stupid errors on my part, easily corrected by my sharper, rested mind (OK, I know, even well rested I’m no Einstein, but…) However, the light of a new day merely revealed the strange truth of my tests.
I had no services running/listening on any of the listed ports, I was using a firewall that appeared to work for many other people just the way I thought it should work for me, and I could see evidence of the firewall working on other ports. When I tested the ports (telnet, nmap, etc.), they were open. However, when the tech and later my friend Davin tested the ports on their computers, they were closed.
It appears it was only one bad Apple that was spoiling a bunch of my tests. I’m using a Time Capsule as my router, and after growing suspicious, a search brought up a rather similar issue.
After isolating the issue, it appears that Time Capsule was trying to “help” the situation by proxying certain protocols. The issue is that it doesn’t even check with the server on some of the protocols to see if a connection can actually be obtained, it just makes it appear as though one has been granted and passes along follow-up requests. Needless to say, this approach by Apple didn’t actually “help” me at all.
So, if you’re seeing some unexpected results of ports 21, 554, and 7070 being open on a remote server, I hope you find this blog post so you can quickly check if it’s a piece of Apple networking hardware that’s causing the issue.
I thought I was going nuts 😉
FYI same thing happens if you have an Airport Extreme 802.11n.
Thanks much for the insight!
Sadly I didn’t find this fast enough.
I started googling the issue when I noticed that even Google.com had those ports open, I thought maybe it was my version of nmap that was screwing things up.
Thanks for trying to help people with this issue.
I’ve been following this issue for over a year and still have not found a resolution. I was hoping the recent release of the 7.5.2 firmware would resolve it but it hasn’t. Has anyone figured out how to stop the AEBS from doing this?
-C
Very useful. Thank you for posting. I was using nmap against a Cisco router and seeing the same ports but verified they were not open, not NAT’d, nothing.
Here are a couple of Cisco commands people may find useful to see open ports on a Cisco router:
show control-plane host openports
show udp
show tcp brief
Thank you, I’m not going crazy.
Man, my sanity was hanging by a thread.
I cannot thank you enough.
Thank you!!! I was really starting to doubt my own competency on this and almost hired an expensive network tech to start looking into this. I have been going nuts for the last 3 days.
cheers
This same behavior appears to exist from Verion FiOS ActionTec routers. Any scanning I do from home shows ports 554/7070 open on remote hosts, even when they are not up.
Same issue here. This saved me a few hours of rebuilding machines on Rackspace to figure out what was wrong. Thanks!
I’m the latest person you’ve saved a ton of time for by posting this. Many thanks!
Thank you from italy too. I think this is crazy.
thank you…thank you…..thank you…..
I signed up for an inexpensive VPS (Virtual Private Server) as a learning tool, to learn linux server management. In other words, I have a personal linux server out on the Internet. Obviously, the first things I wanted to do was make the VPS more secure, so I configured a variety of security features, including the iptables firewall.
Next, I ran a port scan against the VPS from my home Mac computer, using the simple Network Utility in the /Applications/Utility folder and found that ports 21, 554, and 7070 were open in addition to port 80 and the random high port I had chosen to use for SSH connections. (I also verified the problem by running nmap from Windows and Linux virtual machines.)
I burned an entire day and night trying to disable unnecessary services on the VPS and configure the firewall to close the unexpected open ports until a friend clued me in to look at the Apple Time Capsule (AirPort) I am using as a home router. It never occurred to me to consider that the router was responding to the port scan even before the packets got out to the Internet.
Thanks, Apple, for wasting so much of my precious time with your undocumented “feature”.
Thanks a lot, this saved me quite a bit of research.
Thank you much! This was my exact issue… I wish there was a solution other than getting another router. Apple: fix this!
This is the greatest blog post of all time. I was about to start tearing my hair out over this issue. I was on a Netgear wireless access point and everything was fine. Switched to an Apple WAP and suddenly those three ports are open on everything I scan! WTF?
Thanks Apple, way to be “helpful.”
This is braindead. There is absolutely no good technical reason to do this. It breaks things on so many levels… I’m going to stop using Time Capsule as my home router ASAP.
A friend asked me to run nmap on her new server in CoLo. When I sent the results back to her, she had a minor heart attack because it looked like there were a bunch of insecure ports open on her system.
I think I’m going to switch to PFSense.
To add to the list, BT Homehub, (version 5) in my case also does this stupidity. One of the many annoying features which it has to “help” such as not letting you change DNS servers.
thanks a lot!
i had the same problem and was very concerned after i found these ports open on my VPS linux machine …. i spent only 1.5h looking for this problem thanks to your post!
Greetings
I agree to Dave: “This is the greatest blog post of all time.”
Thanks a lot, admin!
Thank you very much!
Thanks bro.
/me slaps forehead
I’ll sleep easy now. Thanks greatly.