nmap on my webserver shows TCP ports 554 and 7070 open

Solution 1:

I'd be inclined to blame your ISP or something between you and your server for this. If you just want to reassure yourself that those ports really are closed, you could try to listen on those ports and if it succeeds then it's safe to assume there's nothing already listening. Here's what I'm doing on my machine (which has Apache on port 80, and nothing on port 81):

$ sudo netcat -p 80 -l --wait 1    # Apache on port 80
Error: Couldn't setup listening socket (err=-3)
$ sudo netcat -p 81 -l --wait 1    # Nothing on port 81
(Ctrl-C)

EDIT: And to be sure that this really has worked, telnet to it from another box and check that netcat is receiving what you send (you'll probably want to increase the --wait timeout).

Solution 2:

Your router is probably to blame. I was just wondering if this was an issue with being on an OpenVZ host, and found this article: Are ports 21, 554, and 7070 open or closed? The answer is yes.

This makes sense for me, as I'm currently on a crappy FiOS Actiontec router. Any combination of nmap and netcat testing on the container and host node confirms that those ports are not really open.

---

Solution 3:

Various different routers (Verizon FiOS, BT Home Hub, Apple Airport Extreme, ...) show ports 554 and 7070 as open for all IPs for some reason.

Hackerific » False positive TCP ports!