Beware Open Ports: A Complete Server Security Self‑Check Using nmap

Introduction

Each open port on a server represents a potential attack surface. When an operations engineer takes over a new server, changes firewall rules, or launches a new service, a port‑security check should be performed to confirm that only the necessary ports are listening.

Thinking that a server behind a firewall does not need port checks.

Only checking business ports (80/443) and ignoring operational ports such as SSH, database, or Redis.

Assuming cloud security groups completely replace host‑level firewalls.

Being unsure of the impact of port scanning on production and therefore avoiding scans.

This article provides a complete workflow for server port security self‑inspection using the nmap tool, covering installation, basic scanning, advanced scanning, script scanning, result analysis, and remediation.

Chapter 1: nmap Basics and Installation

1.1 What is nmap

nmap

(Network Mapper) is one of the most popular port‑scanning and network‑discovery tools. It can probe a target host for open ports, service versions, operating system types, and more, making it essential for both operations and security engineers.

# Check if nmap is installed
which nmap

# Install if missing
# CentOS / RHEL
sudo yum install nmap -y

# Ubuntu / Debian
sudo apt install nmap -y

# macOS
brew install nmap

# Windows: download from https://nmap.org/download.html

1.2 Scanning Principles

nmap supports multiple scanning techniques; the default is TCP SYN scan (half‑open scan):

TCP SYN scan ( -sS): sends SYN packets, receives SYN‑ACK for open ports, RST for closed ports; does not complete the three‑way handshake, low impact, requires root.

TCP connect scan ( -sT): completes the full three‑way handshake; no root required but easier to detect.

UDP scan ( -sU): sends UDP packets; no response may indicate open or filtered; slow but necessary for UDP services.

FIN scan ( -sF): sends FIN packets to bypass some firewalls.

Ping scan ( -sn): only checks host liveness, no port scan.

# Show nmap version and features
nmap --version
# Nmap version 7.94

# List number of NSE scripts
ls /usr/share/nmap/scripts/ | wc -l
# Hundreds of NSE scripts

Chapter 2: Basic Port Scanning

2.1 Single‑Port Scan

# Scan a single port
nmap -p 22 192.168.1.100
# Sample output:
# Starting Nmap 7.94 ( https://nmap.org )
# PORT   STATE SERVICE
# 22/tcp open  ssh

# Specify ports, ranges, or lists
nmap -p 22,80,443 192.168.1.100   # list
nmap -p 22-100 192.168.1.100      # range
nmap -p -1000 192.168.1.100      # first 1000 ports
nmap -p 1-65535 192.168.1.100    # full scan

2.2 Fast Scan of Common Ports

# Scan the most common 20 ports (built‑in list)
nmap --top-ports 20 192.168.1.100
# Common ports and services:
# 21   FTP
# 22   SSH
# 23   Telnet (clear‑text, extremely unsafe)
# 25   SMTP
# 53   DNS
# 80   HTTP
# 110  POP3
# 143  IMAP
# 443  HTTPS
# 3306 MySQL
# 3389 RDP (Windows Remote Desktop)
# 5432 PostgreSQL
# 6379 Redis
# 8080 HTTP proxy (common in Java apps)
# 9200 Elasticsearch
# 27017 MongoDB

2.3 Full Port Scan

# Scan all 65535 ports (takes longer)
nmap -p 1-65535 -T4 192.168.1.100
# -T4: aggressive timing (0‑5 scale)
# Production recommendation: -T3 or -T4 to limit impact

# Faster alternative: scan all ports with -p-
nmap -p- -T4 192.168.1.100
# Save results for later comparison
nmap -p 1-65535 -oA /tmp/portscan-$(date +%Y%m%d) 192.168.1.100
# -oA outputs nmap, XML, and grepable formats

2.4 Host Discovery and Batch Scanning

# Ping scan to discover live hosts
nmap -sn 192.168.1.0/24
# Output shows which IPs are online and response times

# Exclude specific IPs
nmap -sn 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.2

# Batch scan multiple hosts or subnets
nmap -p 22,80,443 192.168.1.100,192.168.1.101,192.168.1.200

# Scan hosts listed in a file
nmap -p 22,80,443 -iL /tmp/servers.txt

Chapter 3: Service Version Detection

3.1 Identify Service Versions

Knowing that a port is open is not enough; you also need to know which version of the service is running and whether it has known vulnerabilities.

# -sV enables service version detection
nmap -sV -p 22,80,443,3306,6379 192.168.1.100
# Sample output:
# PORT   STATE SERVICE VERSION
# 22/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
# 80/tcp open  http    Apache httpd 2.4.51
# 443/tcp open  ssl     nginx 1.21.4
# 3306/tcp open  mysql   MySQL 8.0.32
# 6379/tcp open  redis   Redis 6.0.16

# Why care about versions?
# If OpenSSH 8.4 has a known CVE (e.g., CVE‑2022‑1234), upgrade immediately.
# If Redis 6.0.16 allows empty passwords, remediate.

3.2 OS Fingerprinting

# -O performs OS detection (requires root)
nmap -O 192.168.1.100
# Sample output:
# OS details: Linux 5.4 (Ubuntu 20.04)
# Linux 3.2 - 5.4
# OS CPE: cpe:/o:linux:linux_kernel:5.4

3.3 Aggressive Scan (Recon Mode)

# -A combines OS detection, version detection, traceroute, and script scanning
nmap -A -T4 192.168.1.100
# Suitable for a comprehensive reconnaissance of a newly acquired server

Chapter 4: nmap Script Scanning (NSE)

4.1 NSE Overview

nmap's scripting engine (NSE) includes hundreds of scripts for vulnerability detection, weak‑credential checks, brute‑force attempts, and more.

# List all script categories
ls /usr/share/nmap/scripts/
# Categories include:
# auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln

4.2 Common Script Scans

# Default script set (most common)
nmap -sC -p 22,80,443,3306,6379 192.168.1.100
# -sC is equivalent to --script=default

# SSH security check (password vs. key login)
nmap -p 22 --script ssh-auth-methods 192.168.1.100
# Output example: Supported authentication methods: publickey,password
# Password login indicates a potential brute‑force risk.

# MySQL security check
nmap -p 3306 --script mysql-info,mysql-empty-password,mysql-users 192.168.1.100

# Redis security check
nmap -p 6379 --script redis-info,redis-brute 192.168.1.100
# If redis‑info returns data without authentication, the instance is insecure.

# HTTP security checks
nmap -p 80,443 --script http-enum,http-robots.txt,http-title 192.168.1.100
# http-enum enumerates directories; http-robots.txt reveals hidden paths; http-title fetches the page title.

# SSL/TLS security checks
nmap -p 443 --script ssl-enum-ciphers,ssl-cert,ssl-known-key 192.168.1.100
# ssl-enum-ciphers lists supported cipher suites; ssl-cert checks certificate validity.

4.3 Vulnerability Detection Scripts

# General vulnerability scan (runs all vuln scripts)
nmap -p 80,443 --script vuln 192.168.1.100
# Specific vulnerability scripts
nmap -p 22 --script ssh-vuln-* 192.168.1.100   # SSH CVEs (e.g., CVE‑2021‑41617)
nmap -p 443 --script ssl-vuln-* 192.168.1.100  # SSL/TLS CVEs (Heartbleed, POODLE)
# Heartbleed example
nmap -p 443 --script ssl-heartbleed 192.168.1.100
# Apache Struts RCE example
nmap -p 8080 --script http-vuln-cve2017-5638 192.168.1.100

4.4 Brute‑Force Detection

# Detect anonymous FTP login
nmap -p 21 --script ftp-anon 192.168.1.100
# Detect MySQL empty‑password root login
nmap -p 3306 --script mysql-empty-password 192.168.1.100
# Redis weak‑password brute force (requires user/password dictionaries)
nmap -p 6379 --script redis-brute 192.168.1.100 --script-args userdb=users.txt,passdb=pass.txt

Chapter 5: Production‑Environment Scanning Considerations

5.1 Impact on Business

nmap sends many packets; in production it may cause:

Network bandwidth consumption.

IDS/IPS alerts.

Brief spikes in server load.

Recommendations for production scans:

Avoid peak business hours.

Use slow timing templates (-T1 or -T2).

Validate commands in a test environment first.

Notify the security team in advance to prevent false alarms.

# Low‑speed scan suitable for production
nmap -T2 -p 1-1000 192.168.1.100
# Skip host discovery when the host is known to be up
nmap -Pn -T2 -p 1-1000 192.168.1.100

5.2 Scanning Your Own Servers vs. Others

Scanning your own servers : fully legal and a routine security operation.

Scanning third‑party servers requires written authorization (penetration‑test agreement). Unauthorized scanning is illegal under computer crime laws, though it is allowed in CTFs and authorized pentest scenarios.

# Scan your own host
nmap -sT -p 1-1000 localhost
# If you prefer SYN scan (requires root)
sudo nmap -sS -p 1-1000 localhost

5.3 Regular Scanning Schedule

# Set up a monthly scan (e.g., first day at 03:00)
crontab -e
# 0 3 1 * * /usr/local/bin/portscan-check.sh

#!/bin/bash
DATE=$(date +%Y%m%d)
LOG_DIR="/var/log/security"
SERVERS_FILE="/etc/security/scan-hosts.txt"
REPORT="$LOG_DIR/portscan-$DATE.html"
mkdir -p $LOG_DIR
# Scan and generate HTML report
nmap -sV -sC -p- -oA "$LOG_DIR/portscan-$DATE" -iL "$SERVERS_FILE"
# Compare with previous month to detect new ports
if [ -f "$LOG_DIR/portscan-$(date -d '1 month ago' +%Y%m%d).gnmap" ]; then
  diff <(grep "Ports:" "$LOG_DIR/portscan-$(date -d '1 month ago' +%Y%m%d).gnmap" | cut -d: -f2) \
       <(grep "Ports:" "$LOG_DIR/portscan-$DATE.gnmap" | cut -d: -f2) || true
fi
# Optional email notification
# mail -s "Port Scan Report $DATE" [email protected] < "$REPORT"

Chapter 6: Result Analysis and Remediation

6.1 Common Dangerous Ports and Risk Levels

22 SSH – Medium – Weak passwords enable brute‑force attacks.

23 Telnet – High – Clear‑text transmission; credentials can be sniffed.

445 SMB – High – EternalBlue (CVE‑2017‑0144) vulnerability; should not be exposed.

3306 MySQL – Medium – If exposed to the Internet without a password, data can be stolen.

6379 Redis – High – No default password; public exposure allows read/write.

27017 MongoDB – High – No authentication by default; public exposure allows data theft.

9200 Elasticsearch – High – No authentication; can read/write data and execute scripts.

11211 Memcached – High – No authentication; can be abused for DDoS amplification.

8080 HTTP Alt – Medium – Often a management console; may contain unpatched services.

3389 RDP – Medium – Windows Remote Desktop; brute‑force is common.

6.2 Checklist for Dangerous Ports

# SSH (22) check
nmap -p 22 --script ssh-auth-methods 192.168.1.100
# If "password" appears, switch to key‑only authentication:
# Edit /etc/ssh/sshd_config -> PasswordAuthentication no
# PubkeyAuthentication yes
# systemctl restart sshd

# Database ports (3306/5432/6379/27017) check
# Ensure only internal IPs can access; no public exposure
nmap -p 3306,6379 --script redis-info,mysql-info 192.168.1.100

# Memcached (11211) check
nmap -p 11211 --script memcached-info 192.168.1.100
# If unauthenticated, disable or restrict to internal network.

# RDP (3389) check (Windows servers)
nmap -p 3389 192.168.1.100
# Recommendation: VPN + network policy to restrict RDP access.

6.3 Firewall Configuration Example

# Basic iptables rules (restrict SSH and business ports)
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow SSH from specific IP
-A INPUT -p tcp -s 1.2.3.4/32 --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Reject database ports (allow only internal network)
-A INPUT -p tcp -s 10.0.0.0/8 --dport 3306 -j ACCEPT
-A INPUT -p tcp -s 10.0.0.0/8 --dport 6379 -j ACCEPT

# Drop everything else
-A INPUT -j DROP
COMMIT

6.4 Cloud Security‑Group Check (Example: Alibaba Cloud)

# List all security groups
aliyun ecs DescribeSecurityGroups
# Show inbound rules of a specific group
aliyun ecs DescribeSecurityGroupPolicy --SecurityGroupId sg-xxxxxx --Direction ingress
# Common mistake: allowing 0.0.0.0/0 to database ports.
# Correct practice: restrict to internal IP ranges or specific IPs.

Chapter 7: Report Interpretation and Follow‑up

7.1 Interpreting nmap Output

# View previous XML report
nmap -oX /tmp/scan.xml 192.168.1.100
# Convert to HTML
xsltproc /tmp/scan.xml -o /tmp/scan.html
# Or view grepable format
nmap -oG /tmp/scan.gnmap 192.168.1.100
grep "Ports:" /tmp/scan.gnmap

7.2 Handling High‑Risk Ports

Step 1: Confirm necessity – Is the open port required for business? Can the service be disabled?

Step 2: Verify access control – Check firewall rules; attempt external connection to confirm it is blocked if it should be.

Step 3: Remediation options – Based on the situation:

If the port is unnecessary and exposed, close the service or block it with firewall rules.

If SSH allows password login, enforce key‑only authentication.

If Redis has no password, set a strong password or bind to internal IP.

If a management console is exposed, restrict access via VPN or IP whitelist.

If a service version has a known CVE, upgrade to the latest stable version.

7.3 Record and Review

# Log findings and remediation steps
# Record in security ops log or CMDB:
# Time, discovery method, responsible person, remediation actions

Supplement 1: Deep OS and Service Fingerprinting

OS Fingerprinting Details

nmap analyses TCP/IP characteristics (TTL, window size, TCP options, etc.) to infer the operating system.

# OS detection (requires root)
sudo nmap -O 192.168.1.100
# Sample output:
# OS details: Linux 5.4 (Ubuntu 20.04)
# OS CPE: cpe:/o:linux:linux_kernel:5.4
# Aggressive OS guesses: Linux 5.4 (94%), Linux 2.6.32 (88%)
# Note: OS detection is not 100% accurate.
# If -O is inconclusive, use -A for comprehensive scanning.
sudo nmap -A -T4 192.168.1.100

Service Fingerprinting Advanced Options

# Version detection with intensity control
nmap -sV -p 22,80,443 192.168.1.100
# Use a custom fingerprint database if needed
nmap --script-args='db=/path/to/nmap-service-fingerprints' -sV -p 22 192.168.1.100
# High intensity (detailed, slower)
nmap -sV --version-intensity 9 -p 80 192.168.1.100
# Low intensity (fast)
nmap -sV --version-intensity 0 -p 22 192.168.1.100

Detecting Hidden Services

# Find hidden Redis instances on any port
nmap -sV -p 1-65535 192.168.1.100 | grep -i redis
# Find hidden SSH instances
nmap -sV -p 1-65535 192.168.1.100 | grep -i "ssh.*OpenSSH"
# Find HTTP services on non‑standard ports
nmap -sV -p 1-65535 192.168.1.100 | grep -E "http|Apache|nginx|IIS"

Supplement 2: Common CVE Scans with nmap

OpenSSH CVE Scan

# Scan for known OpenSSH vulnerabilities
nmap -p 22 --script ssh-vuln-* 192.168.1.100
# Scan a specific CVE (e.g., CVE‑2021‑41617)
nmap -p 22 --script ssh-vuln-cve-2021-41617 192.168.1.100
# If vulnerable, upgrade OpenSSH immediately:
apt update && apt install openssh-server -y
systemctl restart sshd

OpenSSL / SSL/TLS CVE Scan

# Heartbleed (CVE‑2014‑0160)
nmap -p 443 --script ssl-heartbleed 192.168.1.100
# POODLE (CVE‑2014‑3566)
nmap -p 443 --script ssl-poodle 192.168.1.100
# Logjam (CVE‑2015‑4000)
nmap -p 443 --script ssl-dh-params 192.168.1.100
# Enumerate ciphers and detect weak ones
nmap -p 443 --script ssl-enum-ciphers 192.168.1.100

HTTP Service CVE Scan

# Scan for web server vulnerabilities
nmap -p 80,443 --script http-vuln-* 192.168.1.100
# Apache Struts RCE (CVE‑2017‑5638)
nmap -p 8080 --script http-vuln-cve2017-5638 192.168.1.100
# Apache Tomcat RCE (CVE‑2017‑12617)
nmap -p 8080 --script http-vuln-cve2017-12617 192.168.1.100
# IIS RCE (CVE‑2015‑1635)
nmap -p 80,443 --script http-vuln-cve2015-1635 192.168.1.100

Database CVE Scan

# MySQL authentication bypass (CVE‑2012‑2122)
nmap -p 3306 --script mysql-vuln-cve2012-2122 192.168.1.100
# Redis unauthenticated access
nmap -p 6379 --script redis-vuln-* 192.168.1.100
# PostgreSQL CVE scan
nmap -p 5432 --script pgsql-vuln-* 192.168.1.100
# MongoDB CVE scan
nmap -p 27017 --script mongodb-vuln-* 192.168.1.100

Supplement 3: Internal Network Lateral‑Movement (Authorized Pentest)

Host Discovery

# Scan live hosts in internal network
nmap -sn 10.0.0.0/24 -oG - | grep "Up$" | cut -d " " -f2

Fast Service Scan

# Quick scan of common ports
nmap -F -T4 10.0.0.0/24 -oG - | grep "Ports:" | awk -F"Ports: " '{print $2}' | cut -d " " -f1 | tr ',' '
' | sort -u | head -30

Full Scan of Selected Targets

for ip in 10.0.0.1 10.0.0.10 10.0.0.50; do
  echo "=== Scanning $ip ==="
  nmap -sV -sC -p 1-65535 -oA /tmp/scan-$ip $ip
done

Network Device Scan

# Scan routers, switches, firewalls (SSH, Telnet, SNMP)
nmap -sV -p 22,23,161,162 192.168.1.0/24 -oG - | grep "Host:" | grep -v "22/open\|23/open\|161/open"
# SNMP community brute‑force (default "public")
nmap -sU -p 161 --script snmp-brute 192.168.1.1

Supplement 4: Automated Report Script

#!/bin/bash
# nmap-security-report.sh – automated scan and HTML report generation
TARGET="${1:-localhost}"
OUTPUT_DIR="/var/www/html/nmap-reports"
DATE=$(date +%Y%m%d)
mkdir -p $OUTPUT_DIR

echo "Scanning $TARGET..."
# 1. Quick scan of common ports
nmap -sV -sC -F -T4 -oA "$OUTPUT_DIR/quick-$DATE" "$TARGET"
# 2. Full port scan (slow)
nmap -sV -p- -T2 -oA "$OUTPUT_DIR/full-$DATE" "$TARGET"
# 3. Vulnerability scan on key ports
nmap -sV --script vuln -p 22,80,443,3306,5432,6379,8080 -oA "$OUTPUT_DIR/vuln-$DATE" "$TARGET"
# 4. Convert XML to HTML
xsltproc "$OUTPUT_DIR/quick-$DATE.xml" -o "$OUTPUT_DIR/quick-$DATE.html"
xsltproc "$OUTPUT_DIR/vuln-$DATE.xml" -o "$OUTPUT_DIR/vuln-$DATE.html"
# 5. Detect newly opened ports compared to last month
if [ -f "$OUTPUT_DIR/full-$(date -d '1 month ago' +%Y%m%d).gnmap" ]; then
  echo "=== New Ports ===" > "$OUTPUT_DIR/changes-$DATE.txt"
  diff <(grep "Ports:" "$OUTPUT_DIR/full-$(date -d '1 month ago' +%Y%m%d).gnmap" | cut -d: -f2) \
       <(grep "Ports:" "$OUTPUT_DIR/full-$DATE.gnmap" | cut -d: -f2) >> "$OUTPUT_DIR/changes-$DATE.txt" || true
fi

echo "Reports generated:"
ls -la "$OUTPUT_DIR"/*-$DATE.*

Supplement 5: nmap Parameter Cheat Sheet

-sn

– Ping scan (host discovery only). Useful for quickly finding live hosts. -sS – TCP SYN (half‑open) scan. Default, requires root. -sT – TCP connect scan. No root required. -sU – UDP scan. Used for DNS, SNMP, etc. -sV – Service version detection. -O – OS detection (requires root). -A – Aggressive scan (OS detection, version detection, traceroute, script scan). -sC – Default script set (equivalent to --script=default). --script=vuln – Run vulnerability scripts. -p 1-1000 – Specify port range (common ports). -p- – All ports (1‑65535). -p 22,80,443 – Specific port list. -T1~5 – Scan speed (0=paranoid, 5=insane). Production recommends T2‑T3. -oA – Output in all major formats (nmap, XML, grepable). -iL – Read targets from a file (batch scanning). --exclude – Exclude specific targets. -6 – IPv6 scanning.

Supplement 6: Port‑Service Risk Quick Reference

21 FTP – Clear‑text, anonymous login risk – Disable or use SFTP.

22 SSH – Brute‑force risk – Enforce key authentication, disable password, restrict source IP.

23 Telnet – Clear‑text, extremely dangerous – Disable immediately.

25 SMTP – Open relay risk – Restrict to authorized mail servers.

53 DNS – DNS poisoning risk – Allow recursion only from internal network.

80 HTTP – Web service – Deploy HTTPS, close unnecessary paths.

110 POP3 – Clear‑text mail – Disable or use POP3S.

135‑139 / 445 SMB – EternalBlue vulnerability – Block with firewall or patch.

143 IMAP – Clear‑text – Disable or use IMAPS.

389 LDAP – Clear‑text – Disable or use LDAPS.

443 HTTPS – Encrypted web – Ensure proper certificate configuration.

465 SMTPS – Encrypted SMTP – Use.

587 SMTP Submission – Use.

636 LDAPS – Encrypted LDAP – Use.

1433 MS SQL – Database – Restrict to internal network.

1521 Oracle DB – Database – Restrict to internal network.

3306 MySQL – Database – Restrict to internal network, disable remote root.

6379 Redis – Cache – Restrict to internal network, set strong password.

3389 RDP – Windows Remote Desktop – Restrict source IP, enable NLA.

5432 PostgreSQL – Database – Restrict to internal network.

5900 VNC – Remote desktop – Disable or tunnel via SSH.

5985 WinRM HTTP – Windows remote management – Restrict source IP.

5986 WinRM HTTPS – Windows remote management – Use.

9200 Elasticsearch – Search engine – Disable or bind to internal network.

27017 MongoDB – NoSQL DB – Disable or bind to internal network.

8080 HTTP Alt – Often Java admin console – Verify access control.

8443 HTTPS Alt – Common admin console – Verify access control.

Supplement 7: Pre‑Scan Preparation and Post‑Scan Verification

Preparation

# 1. Obtain written authorization (mandatory for external targets)
# 2. Notify the security team to avoid IDS/IPS alerts
# 3. Choose a low‑traffic window (avoid business peak)
# 4. Prepare target list
cat > /tmp/scan-hosts.txt <<'EOF'
192.168.1.100
192.168.1.101
10.0.0.50
EOF
# 5. Validate commands in a test environment first
nmap -sV -sC -F test-server.internal

Post‑Scan Verification

# 1. Verify each open port aligns with a known business need.
# 2. Compare against historical baseline to spot new ports.
# 3. Re‑check service versions for known vulnerabilities.
# 4. Prioritize remediation:
#   High – immediate fix (e.g., RDP exposed to Internet, vulnerable DB).
#   Medium – fix within the week (unnecessary ports, weak ciphers).
#   Low – schedule for next month (optimizations).