I'm performing an port scanning on a range of IPs on our remote site. I tried running nmap scan on that IP range and some of the IP result are shown as filtered
When I perform a nessus scan on the box, there is no result at all for some of the IPs.
As such is it safe to assume that there is no open ports on some of the remote server?
Unless you've got nmap configured not to perform host discovery (-PN or -PN --send-ip on the LAN), if it is indicating that all ports are filtered, then the host is up, but the firewall on that host is dropping traffic to all the scanned ports.
Note that a default nmap scan does not probe all ports. It only scans 1000 TCP ports. If you want to check for any services, you'll want to check all 65535 TCP ports and all 65535 UDP ports.
Also, to be precise, but when the port scan says a port is filtered, that doesn't mean that there is no service running on that port. It's possible that the host's firewall has rules that are denying access to the IP from which you're running the scan, but there may be other IPs which are allowed to access that service.
If the port scan reports that a port is closed, that's more definitive that there's no service listening on that port.
I can't comment on the lack of results from nessus, it's been a while since I've used it.
Example of closed vs. filtered vs. host-down
E.g., on my network, this host is up, has no services running, and does not have a firewall, note that the ports are reported as closed (this means the host responded to probes on that port):
% sudo nmap -T4 -n 192.168.1.24
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:20 EST
All 1000 scanned ports on 192.168.1.24 are closed
MAC Address: 00:0E:00:AB:CD:EF (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
This host is up, has no services running on ports 100-1000, and has a firewall. Note that the ports are reported as filtered (this means that the host dropped probes to those ports):
% sudo nmap -T4 -n -p 100-1000 192.168.1.45
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:24 EST
All 901 scanned ports on 192.168.1.45 are filtered
MAC Address: 00:12:34:AA:BB:CC (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 20.03 seconds
Just for illustration, I punched a temporary hole in the firewall for that last host for port 443 and reran the scan. (There's nothing running on 443 there.) Notice how 998 ports are reported filtered, but port 443 is reported as closed; the firewall is allowing 443 through, and the OS responds with an RST.
% sudo nmap -T4 -n 192.168.1.45
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:43 EST
Interesting ports on 192.168.1.45:
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp closed https
MAC Address: 00:12:34:AA:BB:CC (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds
There is no host at this address (host down):
% sudo nmap -T4 -n 192.168.1.199
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:26 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.56 seconds
if I rescan with -PN --send-ip (the latter is needed because I'm scanning the LAN, and I don't want to use ARP probes), I see:
% sudo nmap -T4 -n -PN --send-ip 192.168.1.199
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-30 11:29 EST
All 1000 scanned ports on 192.168.1.199 are filtered
Nmap done: 1 IP address (1 host up) scanned in 101.44 seconds
The nmap result "filtered" implies that (if you know there is a host with that IP address) access to the port has been blocked by a firewall or similar, which is dropping the traffic. This is as opposed to the "closed" result which indicates that there is a host on that IP but that there is no active service which responds to nmaps probes.
If all ports on a host come back as filtered, there's either nothing there, or there's a firewall configured to drop all traffic directed to it.
