output of : sudo netstat -tap, please

Thanks for looking Freedom. Output of that command:

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 *:9999 *:* LISTEN 1085/sshd

tcp 0 0 localhost.localdo:mysql : LISTEN 1167/mysqld

tcp 0 0 localhost.localdom:smtp : LISTEN 1503/exim4

tcp 0 300 myhostname.net:9999 customer8181.pool:49237 ESTABLISHED 1664/sshd: user [pr

tcp6 0 0 [::]:9999 [::]:* LISTEN 1085/sshd

tcp6 0 0 [::]:www [::]:* LISTEN 1538/apache2

(where 9999 is my ssh port)

nmap from the box I'm sitting at now (different machine, with an ssh session open to the server):

PORT STATE SERVICE

80/tcp open http

110/tcp open pop3

1863/tcp open msnp

3128/tcp open squid-http

5190/tcp open aol

8080/tcp open http-proxy

I haven't installed squid or exim btw, but I guess exim is in by default and the 'squid' port is part of this unknown open(?)ports situation I've got.

Just in case it's useful, here's a list of all the running processes (from ps -e; this is Debian 5): [edit] removed - nothing to see there, and making the thread too long ;)[/edit]

And some more random output that might help with diagnosis:

fuser 80/tcp

80/tcp: 1538 1557 1564

ps -ef | grep 1538

root 1538 1 0 11:22 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 1557 1538 0 11:22 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 1564 1538 0 11:23 ? 00:00:00 /usr/sbin/apache2 -k start

root 1695 1672 0 13:55 pts/0 00:00:00 grep 1538

fuser 110/tcp

fuser 1863/tcp

fuser 3128/tcp

fuser 5190/tcp

fuser 8080/tcp

Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host). I think I need to nmap from outside of my ISP.

[edit] I did that, using lynx on my server and an online nmap service and from the point of view of that service there's only the one port open (80)… I don't know why those ports look open from my machine here, but I'm reassured that there's no massive problem here ;)[/edit]

@Daveo:

Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host).
Looks like your ISP is proxying and/or filtering some of your internet access. If mine started doing that I'd either get a new ISP or tunnel out to somewhere that will route my packets properly (like Linode for example :) )

@Stever:

Looks like your ISP is proxying and/or filtering some of your internet access. If mine started doing that I'd either get a new ISP or tunnel out to somewhere that will route my packets properly (like Linode for example :) )

Hehe yeah.. hence my other thread about OpenVPN ;)

Although, it can't do port sweeps, check out http://ping.eu. It can do a lot of server tests.

Otherewise, your server looks fine. For some reason my server always comes back with SMB ports open which confuses the hell out of nmap when I try to have it guess the OS. I know my server is good (ie not comp'd) as I just re-installed it the other day and these ports are still open.

@Daveo:

Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host). I think I need to nmap from outside of my ISP.

[edit] I did that, using lynx on my server and an online nmap service and from the point of view of that service there's only the one port open (80)… I don't know why those ports look open from my machine here, but I'm reassured that there's no massive problem here ;)[/edit]

Yeah, when I scan, I always scan from both the inside and outside and compare the results. If I see more from the inside than from the outside, I know that my local router and firewall are what's making the difference. Taking into consideration upstream filtering helps also.