Turning off FTP

You should know that Windows XP (and probably other versions) has an internal wrapper for FTP connections (the purpose of this is to try to allow PORT command to complete successfully, even behind a firewall or a router).

This wrapper intercepts any connection to any host on port 21, so it can monitor it and try to open the incoming port of a PORT command issued by the client.

This wrapper also has a side effect: as it intercepts any connection to a port 21, it sends a signal that the connection has been established to the software, which will see the connection as established, but the connection is really established only to Windows's internal wrapper.

The wrapper then tries to open the connection to the real host, and if it timeouts, then it sends a signal to the software that the connection has been lost. The software will see the connection as lost.

Summing this up, the software believes a connection has been successfully established, then lost, but no real connection has been established.

So, in your case, what happens: you run nmap. Nmap tries to connect to your server on port 21. Windows's wrapper intercepts the connection. Nmap "thinks" it is connected to your server (but it's only connected to the wrapper), and reports the port as opened.

You can confirm this by typing in a command line:

ftp 4.3.2.1

You'll see: C:>ftp 4.3.2.1

Connected to 4.3.2.1.

Connection closed by foreign host.

You can try any valid IP, ftp will always connect, and disconnect shortly after, whereas it should report "Connection timed out".

I never saw any documentation about this. After many investigation, I discovered this strange behavior, and after more investigation, discovered why it is here.

Well, the conclusion of this (big) answer is that the port 21 of your server is definitely closed, as netstat reports, and nmap is fooled by this behaviour.

apt-get remove --purge ftp

Replace ftp with whatever the package is called. I am not sure exactly what it is, but to my knowledge that command should work.

apt-get clean

This will clean up your var directory after an uninstall.

Use one of the below commands to find out what program is actually listening on port 21.

netstat -lp

lsof -i :21

This should help you find out what specific package needs to be removed or reconfigured.

Depending on what inetd and configuration style you're running, look for an ftp service definition in /etc/inetd.conf, /etc/xinetd.d and/or /etc/xinetd.conf. If found, destroy.

Are you sure you're scanning the right IP? netstat shows port 225 and 22, nmap shows 21 and 22...either you're scanning the wrong IP, there's a firewall inbetween that's doing stuff, or maybe some iptables rules on your server re-routing packets. I would say check 'iptables -L -n' to make sure there's nothing related to FTP in there.

Is the external nmap you're doing to the IP address of the server? Maybe is passing through a firewall or router. What happens when you do a nmap from localhost?

1. Check firewall rules on host

2. Try nmap from different hosts do they all see port 21 open.

3. Make sure you are running all commands as root.

4. Use a cross cable to connect to your server. Switch of firewall on both server and machine you connected to server using cross-cable and do nmap again.

5. Telnet from some host to port 21. Do not press key when message "Press any key to continue.." comes. Then as root try these commands

   netstat -lp lsof -i :21

6. If still no luck. Stop firewall. Start some newservice on host (say httpd) and again do port scan from different locations. Can you see additional http port open.

If localhost cant see process listening on port 21 then there is something between the host from where you are doing nmap and the server. That is why point 4 is about connecting host with nmap and server directly.

You should definitely check that your router is NOT forwarding any 21 port to your server, even you are not running any FTP services, NMAP will list ports as open if the router is doing its forwarding job.