nmap -v  -A li7-181.members.linode.com

In the output below, I see

445/tcp filtered microsoft-ds.

What is it?

Starting nmap 3.83.DC13 ( http://www.insecure.org/nmap/ ) at 2006-02-28 11:45 NZDT
Initiating Connect() Scan against li7-181.members.linode.com (64.62.231.181) [1667 ports] at 11:45
Discovered open port 22/tcp on 64.62.231.181
Increasing send delay for 64.62.231.181 from 0 to 5 due to max_successful_tryno increase to 4
Connect() Scan Timing: About 28.16% done; ETC: 11:47 (0:01:16 remaining)
Connect() Scan Timing: About 48.58% done; ETC: 11:49 (0:01:55 remaining)
The Connect() Scan took 162.16s to scan 1667 total ports.
Initiating service scan against 1 service on li7-181.members.linode.com (64.62.231.181) at 11:48
The service scan took 0.50s to scan 1 service on 1 host.
Host li7-181.members.linode.com (64.62.231.181) appears to be up ... good.
Interesting ports on li7-181.members.linode.com (64.62.231.181):
(The 1665 ports scanned but not shown below are in state: closed)
PORT    STATE    SERVICE      VERSION
22/tcp  open     ssh          OpenSSH 3.9p1 (protocol 2.0)
445/tcp filtered microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 163.782 seconds

thanks
genode

It's a free port! I've seen some security-related distros use that as an alternative to 443 (https) before, which is a lot like what that would appear to be. It could also be the port the web application at linode.com connects to... or a monitoring port run by No Such Agency... the list of possibilites is endless.

I'm sure caker or mikegrb will be in shortly to set us all straight.

My first thought was that port 445 was probably filtered by Linode, but it's not listed in http://www.linode.com/products/faq.cfm?id=25 ...

Port 445 is used by Windows for its Directory Services (hence "ds"), and there's no good reason at all to have it open on the Internet normally, even on a Linux box. It's a good thing it's filtered, but if Linode are filtering it I'm not sure how come it isn't on the list.

What does filtered mean exactly? Blocked, I'm assuming.

(sorry for the dump question. I'll be seen crawling up the security admin learning curve over the next couple of days.)

thanks

"Filtered" means that nmap didn't receive a response of any kind, not even to say that the port was closed. It's as if the server was switched off.

Technically it's a violation of the RFC spec (because the RFC states that if the computer's on then it must give a response) but the RFC was written without foreknowledge of the security issues that was arise today, so now everybody does it and it's generally regarded as a Good Thing all round.