Recently we talked about how to secure your server using Nmap and how to block connections using the firewall iptables. But how can we check if what we did is actually working? This is where Nmap comes in. Nmap is a network scanner and mapper tool and you can use it to check your server externally. With it, you can scan your server to check for open TCP ports and vulnerabilities. Read on to find out how to!

First, start with this line:

sudo nmap -p 0-65535 –T5 –A -v remote_host 

Most likely the result will look similar to this: 

Starting Nmap 7.70 ( ) at 2018-09-20 18:33 Pacific Daylight Time  

NSE: Loaded 148 scripts for scanning.  

NSE: Script Pre-scanning.  

Initiating NSE at 18:33  

Completed NSE at 18:33, 0.00s elapsed  

Initiating NSE at 18:33  

Completed NSE at 18:33, 0.00s elapsed  

Initiating Ping Scan at 18:33  

Scanning [4 ports]  

Completed Ping Scan at 18:33, 0.27s elapsed (1 total hosts)  

Initiating Parallel DNS resolution of 1 host. at 18:33  

Completed Parallel DNS resolution of 1 host. at 18:33, 0.05s elapsed  

Initiating SYN Stealth Scan at 18:33  

Scanning ( [65535 ports]  

Discovered open port 80/tcp on  

Discovered open port 22/tcp on  

Discovered open port 4000/tcp on  

Completed SYN Stealth Scan at 18:33, 5.69s elapsed (65535 total ports)  

Initiating Service scan at 18:33  

Scanning 3 services on (  

Completed Service scan at 18:34, 6.87s elapsed (3 services on 1 host)  

Initiating OS detection (try #1) against (  

Retrying OS detection (try #2) against (  

Initiating Traceroute at 18:34  

Completed Traceroute at 18:34, 0.02s elapsed  

Initiating Parallel DNS resolution of 2 hosts. at 18:34  

Completed Parallel DNS resolution of 2 hosts. at 18:34, 0.05s elapsed  

NSE: Script scanning  

Initiating NSE at 18:34  

Completed NSE at 18:34, 0.22s elapsed  

Initiating NSE at 18:34  

Completed NSE at 18:34, 0.00s elapsed  

Nmap scan report for (  

Host is up (0.00052s latency).  

Not shown: 65532 closed ports  


22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 

| ssh-hostkey:  

|   2048 47:6f:64:5b:eb:33:8a:1d:e0:1f:1e:7c:ce:84:76:f7 (RSA) 

|   256 c6:de:96:58:10:a3:c6:66:6f:44:b7:42:31:94:f0:46 (ECDSA 

|_  256 1c:ce:9d:ae:9d:cd:c8:5a:64:c3:ac:5e:df:97:9b:1e (ED25519) 

80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu)) 

| http-methods:  

|_  Supported Methods: GET HEAD POST OPTIONS 

|_http-server-header: Apache/2.4.18 (Ubuntu)  

|_http-title: Apache2 Ubuntu Default Page: It works  

4000/tcp open  nomachine-nx NoMachine NX Server remote desktop 6.2.4  

Device type: general purpose|storage-misc|WAP|load balancer|route  

Running (JUST GUESSING): Linux 2.6.X (96%), Netgear embedded (96%), Ubiquiti embedded (92%), F5 Networks embedded (90%), F5 Networks TMOS 11.1.X (89%), Linksys embedded (89%), Synology embedded (88%) 

OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:2.6 cpe:/h:netgear:readynas_3200 cpe:/o:f5:tmos:11.1 cpe:/h:linksys:befw11s4 cpe:/h:synology:rt1900ac cpe:/h:netgear:wndap660 

Aggressive OS guesses: Linux 2.6.32 (96%), Netgear ReadyNAS 3200 NAS device (Linux 2.6) (96%), Linux 2.6.11 – 2.6.18 (93%), Ubiquiti WAP (Linux 2.6.32) (92%), F5 BIG-IP load balancer (90%), F5 3600 LTM load balancer (89%), Linksys BEFW11S4 WAP (89%), Synology RT1900ac router (88%), Netgear WNDAP660 WAP (Linux 2.6.36) (88%)  

No exact OS matches for host (test conditions non-ideal).  

Uptime guess: 3.740 days (since Mon Sep 17 00:48:54 2018)  

Network Distance: 2 hops  

TCP Sequence Prediction: Difficulty=261 (Good luck!)  

IP ID Sequence Generation: All zeros  

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

NSE: Script Post-scanning.  

Initiating NSE at 18:34  

Completed NSE at 18:34, 0.00s elapsed  

Initiating NSE at 18:34 

Completed NSE at 18:34, 0.00s elapsed 

Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds 

            Raw packets sent: 65585 (2.889MB) | Rcvd: 65589 (2.624MB) 


Nmap has also included vulnerability scripts you can run to check if your server is susceptible. To run them we just pass the name of the script to Nmap. 

sudo nmap  –script http-headers remote_host 


And the result: 

Starting Nmap 7.70 ( ) at 2018-09-20 18:13 Pacific Daylight Time 

Nmap scan report for ( 

Host is up (0.27s latency). 

Not shown: 996 closed ports 


22/tcp    open     ssh 

80/tcp    open     http 

4000/tcp  open     nomachine-nx  

| http-headers:  

|   Date: Wed, 15 Nov 2017 05:10:04 GMT 

|   Server: Apache/2.4.7 (Ubuntu) 

|   Accept-Ranges: bytes 

|   Vary: Accept-Encoding 

|   Connection: close 

|   Content-Type: text/html 


|_  (Request type: HEAD) 

Nmap done: 1 IP address (1 host up) scanned in 20.96 seconds 


It does get hectic to run scripts one by one; that’s why Nmap has two unique features: categories and wildcards.

To use wildcard you use *, like in the example below. It will run all scripts starting with HTTP. 

sudo nmap  –script http* remote_host 


And to run categories we just specify its name, ‘vulnerability’ in this case: 

sudo nmap  –script vuln remote_host 


You can even use boolean expressions to specify different categories, in this case, we will say we want to use scripts from the default category or discovery with the safe category if no default exists. 

sudo nmap –script “default or (discovery and safe)” remote_host 


This concludes our quick tutorial on Nmap; with it, you can see that only SSH, HTTP, and NX are running on our server with every other port closed. This means our server is properly secured with no other ports open. The vulnerability category can be used to scan your server for vulnerabilities, which researchers find in software. You can always find more scripts over at the Nmap website.

Do you have any questions about running Nmap? Feel free to ask one of our data centre technicians below!

Photo by Laurenz Kleinheider on Unsplash