I just did a generic install of TrueNAS Scale and ran an nmap scan against the box. I was surprised at some of the ports being open because some of them are not listed in the “Default Ports” documentation.
110 and 995 - POP3
143 and 993 - IMAP
119 and 563 - Network News
25 and 465 - SMTP
The only reason POP3 and IMAP ports should be open is if TrueNAS is acting as a mail server and SMTP doesn’t not need be open as an “outbound” port in order to send emails. (I send emails all the time using Thunderbird as an SMTP client on my PC and I don’t have an SMTP port open.)
With a NAS holding potentially sensitive files I want to maximize the server’s security which includes closing unneeded ports. When I look under System/Services none of the above are listed.
How do I go about disabling the above services to close those unneeded ports?
I’m not sure, but I can’t reproduce this on the systems I just checked
nickf@Nicks-Mac-mini ~ % nmap prod.fusco.me
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 14:26 EST
Nmap scan report for prod.fusco.me (10.69.10.8)
Host is up (0.00026s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3260/tcp open iscsi
5357/tcp open wsdapi
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds
nickf@Nicks-Mac-mini ~ % nmap m50.fusco.me
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 14:26 EST
Nmap scan report for m50.fusco.me (10.69.10.19)
Host is up (0.00024s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5357/tcp open wsdapi
5900/tcp open vnc
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open ag-swim
5906/tcp open rpas-c2
5907/tcp open dsd
5910/tcp open cm
5911/tcp open cpdlc
Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds
nickf@Nicks-Mac-mini ~ % nmap rawht.fusco.me
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 14:27 EST
Nmap scan report for rawht.fusco.me (10.69.10.10)
Host is up (0.00026s latency).
rDNS record for 10.69.10.10: RAWHT.FUSCO.ME
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
5900/tcp open vnc
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open ag-swim
5906/tcp open rpas-c2
5907/tcp open dsd
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2049/tcp open nfs
5357/tcp open wsdapi
8089/tcp open unknown
I used ‘nmap -sT’ which does a 3-way handshake to identify ports that are open and listening. I haven’t done anything except the install (no drives, vdevs, etc. configured) and this is what I get.
Host is up (0.0035s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
563/tcp open snews
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 5.36 seconds
I still cannot reproduce what you are saying. Are you sure you are scanning the correct device?
nickf@Nicks-Mac-mini ~ % nmap -sT prod.fusco.me
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 14:46 EST
Nmap scan report for prod.fusco.me (10.69.10.8)
Host is up (0.00021s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3260/tcp open iscsi
5357/tcp open wsdapi
Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds
nickf@Nicks-Mac-mini ~ % nmap -sT rawht.fusco.me
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 14:46 EST
Nmap scan report for rawht.fusco.me (10.69.10.10)
Host is up (0.00023s latency).
rDNS record for 10.69.10.10: RAWHT.FUSCO.ME
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
5900/tcp open vnc
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open ag-swim
5906/tcp open rpas-c2
5907/tcp open dsd
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds
nickf@Nicks-Mac-mini ~ % nmap -sT m50.fusco.me
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 14:46 EST
Nmap scan report for m50.fusco.me (10.69.10.19)
Host is up (0.00029s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5357/tcp open wsdapi
5900/tcp open vnc
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open ag-swim
5906/tcp open rpas-c2
5907/tcp open dsd
5910/tcp open cm
5911/tcp open cpdlc
Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds
It’s definitely the correct system because I use the same IP address to access the Web UI, TrueNAS Scale 24.10.1 running on a stand-alone Dell Optiplex tower PC, no virtual machines or containers, only the integrated LAN interface. I’ll have to run another scan and see if anything changes once I start configuring the storage.
I just found that there must be something wrong with the Windows implementation of netstat that I’m using. When I ran nestat against an old FreeNAS 9 box I have running it showed the same open ports I listed above. However, if I ssh into that FreeNAS box and do a
sockstat -4 -l
those above ports do NOT show as being open.
Correct. I meant the Windows implementation of nmap and used nmap against the FreeNAS 9 box. I had netstat on the brain after searching for the sockstat command. Sorry for the confusion.