为什么 GKE 容器优化 OS 节点外部接口会监听 pop/imap 端口?

为什么 GKE 容器优化 OS 节点外部接口会监听 pop/imap 端口?

使用 Google 容器引擎 (GKE)容器优化镜像外部接口(临时 IP)似乎正在监听端口 110、143、993、995 等,如通过端口扫描所示nmap

Nmap scan report for 236.185.xxx.xx.bc.googleusercontent.com (xx.xx.185.236)
Host is up (0.0025s latency).
Not shown: 65529 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
110/tcp  open   pop3
143/tcp  open   imap
993/tcp  open   imaps
995/tcp  open   pop3s
3389/tcp closed ms-wbt-server

我可以通过 telnet 连接但端口没有响应:

$telnet 35.192.xxx.xxx 993
Trying 35.192.xxx.xxx...
Connected to xxx.xxx.192.35.bc.googleusercontent.com.
Escape character is '^]'.
USER FOO
Connection closed by foreign host.

最后,如果您 ssh 到节点实例,则没有证据表明有任何东西在监听端口 110、143、993 或 995。

希望能够解开这个谜团!

答案1

我使用我的一个节点的 IP 地址在 VM 实例上运行了 nmap 扫描,得到了以下结果:

Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-14 19:44 UTC
Nmap scan report for 70.133.xxx.xxx.bc.googleusercontent.com (35.224.133.70)
Host is up (0.0018s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds

但是,当我使用在线工具运行 nmap 扫描时,得到了以下结果:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-14 19:46 UTC
Nmap scan report for 70.133.xxx.xxx.bc.googleusercontent.com (35.224.133.70)
Host is up (0.030s latency).
PORT     STATE    SERVICE       VERSION
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
80/tcp   closed   http
110/tcp  filtered pop3
143/tcp  filtered imap
443/tcp  closed   https
3389/tcp filtered ms-wbt-server

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.98 seconds

我检查了防火墙规则,以确保除 80 和 443 之外的其他端口都不被允许,并且只有它们开放。

为了确认ftp、pop3、imap等端口没有打开,我运行了telnet,得到了以下结果:

telnet 35.224.133.70 993
Trying 35.224.133.70...
telnet: Unable to connect to remote host: Connection timed out

您提到的端口不应打开。由于我已在不同集群的不同节点上运行 nmap,因此没有遇到相同的行为。此问题似乎特定于您的项目。我建议在我们的公共问题跟踪器上创建一个私人问题。您可以创建它这里

相关内容