nmap scan of Azure VM shows several ports open, even though they are not actually open

Amal Antony 50

Hello everyone.

I have a linux VM in Azure and it has a public IP address assigned. In NSG, only port 80 and 443 are allowed. However, when I run an nmap scan on the IP address, it shows several ports open. Not shown: 987 filtered ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

80/tcp open http

110/tcp open pop3

113/tcp closed ident

135/tcp open msrpc

143/tcp open imap

443/tcp open https

2000/tcp open cisco-sccp

5060/tcp open sip

8008/tcp open http

8010/tcp open xmpp Is this the expected behaviour? Can this pose a security threat? Is there a way to modify the scan parameters for nmap to resolve this?

Thanks in advance.

Luis Arias 6,061 Reputation points

2024-01-19T20:50:45.89+00:00
Hi Amal Antony,

Could you share your nmap line of code? Where are you running nmap? I try with this nmap line:

nmap -p 1-65535 -Pn -T4 <Your-Public-IP>

Verify you have the NSG association to your VM interface because by default NSG inbound rule it doesn't permit communication from external of Virtual Network, I tested the same configuration and nmap show only my open port.

Let me know after you test. Luis

Amal Antony 50

Hi @Luis Arias .

Thanks a lot for responding.

I am running nmap without any additional flags. Just the public IP address.

$ nmap xx.xx.xx.xx
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-22 14:52 IST
Nmap scan report for xx.xx.xx.xx
Host is up (0.021s latency).
Not shown: 987 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
25/tcp   open   smtp
80/tcp   open   http
110/tcp  open   pop3
113/tcp  closed ident
135/tcp  open   msrpc
143/tcp  open   imap
443/tcp  open   https
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
8010/tcp open   xmpp
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds

The NSG is properly attached, because I am able to connect to the machine through SSH and the server running in the machine is publicly accessible over 80 and 443.

Amal Antony 50 Reputation points

2024-01-22T09:31:48.7+00:00

Checked again and the NSG is properly attached.

Found another interesting thing. The above results are obtained when running nmap behind the office firewall. From my home network, it only shows the actual ports. So, I guess firewall is the reason for getting erratic results. Any insights on that?
Luis Arias 6,061 Reputation points

2024-01-22T09:43:57.8466667+00:00

Hi again Amal, so there is a rule alowing the comunication from your office network to the public IP. So when you try from an external network (such as your home network) only show the port that you have open that make sense. You can verify that supossition checking the NSG effective Security rules and checking your office network CIDR:

There you will see the actual traffic enable from your network to this VM:

Let me know how is going.
Amal Antony 50 Reputation points

2024-01-22T11:35:49.5766667+00:00

@Luis Arias The connection and NSG rules are working perfectly, both from the office network and home network. I can SSH to the machine over this IP. The machine is serving content over 80 and 443. To be clear, NSG is functioning correctly. It's just the output of nmap that seems to be erratic.
kobulloc-MSFT 26,131 Reputation points Microsoft Employee

2024-01-24T00:57:36.59+00:00

Hello, @Amal Antony ! Seeing different sets of ports as open from the office vs home would be expected if there was an exception made based on the source in the NSG rules as @Luis Arias mentioned. This is a common pattern and can be set up to run automatically when new VM NSGs are created. nmap adds a bit of complexity to the troubleshooting as ports reported as open aren't always open as discussed in this post. Have you tried setting --packet-trace to see what is being returned on those ports?
Amal Antony 50 Reputation points

2024-01-24T11:14:27.0066667+00:00

Hi @kobulloc-MSFT .
There are no exception or source specific rules in NSG. The only variable here is the office firewall. With --packet-trace flag, it shows a connected status to the ports listed in the original post.
Amal Antony 50 Reputation points

2024-01-24T11:22:46.5866667+00:00

Seems like this is not an issue with Azure. More like, how the firewall responds to nmap scan. I have read an SO answer that says this could be the firewall returning fake TCP SYN-ACK responses to connection attempts in the top 100 or top 1000 ports to throw off port scanners and other recon tools. It would be good to have a solid explanation on the reason behind this behaviour.

Accepted answer

kobulloc-MSFT 26,131 Reputation points Microsoft Employee

2024-01-29T19:32:19.4+00:00
Hello, @Amal Antony ! I reached out to the virtual machine team. While I can't provide specifics regarding the NSG responses, I can confirm that if rules are in place then traffic will not be allowed (which can be confirmed on the VM).

Why are nmap or other network mapping tools reporting that blocked ports are open on my VM?

There are multiple reports of closed ports being reported as open on VMs by network mapping tools. I can confirm that traffic is not allowed if a properly configured NSG is in place. The tool may be running into an automated response and in the case of nmap, you can confirm this by examining the packet using --packet-trace to see what is being returned on those ports.

Additional reading:

Stack Exchange: Nmap reporting almost every port as open

Super User: nmap shows excessive number of open ports

nmap.org: Port Scanning Basics

Hackerific: False positive TCP ports!

I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

nmap scan of Azure VM shows several ports open, even though they are not actually open

0 additional answers