Check open port: 6129 filtered

user1684189 asked:

I’ve started a security audit on my server and with a simple nmap scan I discover the situation below:

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-31 17:14 CET
Nmap scan report for ********* (*********)
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
999/tcp  open     garcon
6129/tcp filtered unknown

Port 80 is for HTTP and 999 is a custom port for OpenSSH daemon. But what is the 6129 filtered port? Thanks to Google I discover that this port is usually used by Dameware: a remote administrator software that I haven’t installed.

I’ve checked the active connections with a simple “netstat -a”:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:999                   *:*                     LISTEN     
tcp        0      0 localhost.localdom:9000 *:*                     LISTEN     
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     
tcp        0      0 *:www                   *:*                     LISTEN     
tcp        0    224 *******:999 ************:58761     ESTABLISHED
tcp6       0      0 [::]:999                [::]:*                  LISTEN     
tcp6       0      0 [::]:www                [::]:*                  LISTEN     
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  4      [ ]         DGRAM                    171764732 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     171765031 /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     208767580 
unix  3      [ ]         STREAM     CONNECTED     208767579 
unix  2      [ ]         DGRAM                    208767578 
unix  3      [ ]         STREAM     CONNECTED     171765176 
unix  3      [ ]         STREAM     CONNECTED     171765175 
unix  3      [ ]         STREAM     CONNECTED     171765170 
unix  3      [ ]         STREAM     CONNECTED     171765169 
unix  3      [ ]         STREAM     CONNECTED     171765166 
unix  3      [ ]         STREAM     CONNECTED     171765165 
unix  3      [ ]         STREAM     CONNECTED     171765163 
unix  3      [ ]         STREAM     CONNECTED     171765162 
unix  2      [ ]         DGRAM                    171764989 
unix  3      [ ]         STREAM     CONNECTED     171764716 
unix  3      [ ]         STREAM     CONNECTED     171764715 

Everything seems ok. I have installed this server only a few days ago and I’m very paranoic about security: only 2 avaiable daemons from remote (HTTP & OPENSSH), custom SSH port with RootLogin disabled, hardened webapp, iptables that drop all traffic except from 80 and 999, and many more…. Is it possible that I’ve been hacked?

Many thanks for your help

My answer:


It’s probably your ISP filtering outbound traffic on that port (who knows why? only they do). You are very unlikely to see it if you scan from somewhere else. If you do see it when scanning from another location (and a different ISP) then it’s probably being filtered by the ISP of the server.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.