Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Continual knocking on port 443 from foreign IP address
Special Forums Cybersecurity Continual knocking on port 443 from foreign IP address Post 302893837 by randomxs on Friday 21st of March 2014 10:10:21 AM
Old 03-21-2014
Continual knocking on port 443 from foreign IP address
Hello,

I have a server in our DMZ that only has ports 80 and 443 open to the public networks. It runs webmail for our 10K employees' accounts. It's not necessary for our employees to access the server from anywhere except North America so I have blocked access from most of the world due to occasional phished and compromised accounts.

I LOG then DROP most CIDR blocks from RIPE, APNIC, LACNIC and AFRINIC using iptables on the server. I noticed that once I enabled iptables several IP addresses continually knock on port 443. This has gone on for months and seems to be an automated process from a network located in Mexico City.

My question is this:

Why would someone continually try to access the https port for months on end 100s of times an hour when clearly they must see they are being denied access to the server?

The actual IP address appears to be a DSL connection and must be a compromised computer. Over the past several months since I turned on iptables this has continued.

I'm really curious as to the purpose of this. Does anyone have any ideas?

Thanks in advance
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Sunblade shows 2 MAC address on same port

Please, can someone tell me why my SunBlade would be showing 2 different but similar MAC addresses on the same port on the Switch? The switch shows all other Workstations with 1 MAC on each port, but the SunBlade is showing 2. Thanks in advance for any insight.... (1 Reply)
Discussion started by: GoneCrazy
1 Replies

2. Solaris

How To Change 5 port Ip Address Solaris?

Hello i'm newbie in solaris, anybody know how to change five port solaris 10? exmpe: bge0, bge1, bge2, etc. anybody can help me with the script implementasi... and logical how solaris work. thank so much:b: (2 Replies)
Discussion started by: yanto85
2 Replies

3. Cybersecurity

Port Address Changing....

Is there a software solution to stop intruders from changing my port addresses? Causes IPmap to crash. Platform is OS/X Leopard. (1 Reply)
Discussion started by: aleatory
1 Replies

4. IP Networking

Configure squid to listen on any IP address with port 80

Hi, I am trying to configure a transparent squid cache. When I try to use the below option in squid.conf, squid listens on port 80 only for the IP address configured on the system's interface. http_port 80 transparent But I want squid to accept connections for any IP address on port 80.... (3 Replies)
Discussion started by: Learner32
3 Replies

5. Cybersecurity

Listening to port when no IP address is assigned

Hi Pals Consider a case where the network interface is there and it is connected to a network. Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig) I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies

6. Solaris

Allow usage of port 80 and 443

I am trying to install Sun Java Web Server using an ordinary user with no root/sudo rights. I need to allow this web server to use ports 80 and 443. How can this be done?:confused: (1 Reply)
Discussion started by: emealogistics
1 Replies

7. UNIX for Advanced & Expert Users

What is the foreign address?

hi i want to open port 9100 and the connect server could not to connect to my application this my results of netstat tulpn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:9100 ... (3 Replies)
Discussion started by: mohammad alshar
3 Replies

8. HP-UX

How to open 443 port in HP-UX?

Hello Experts, I want to open the port 443 on my HP-UX system. can you please help ? Thanks in advance. (1 Reply)
Discussion started by: purushottamaher
1 Replies

9. IP Networking

netstat local and foreign address relationship.

Hi All, Can you please help me in understanding the relationship between local and foreign address in the output of netstat -an. Output 1 ---------- 162.103.162.37.50224 162.103.162.35.9511 49640 0 49640 0 ESTABLISHED 162.103.162.37.50263 162.103.162.35.9512 49640 0... (1 Reply)
Discussion started by: Girish19
1 Replies

LEARN ABOUT DEBIAN

connect-tunnel

CONNECT-TUNNEL(1p)					User Contributed Perl Documentation					CONNECT-TUNNEL(1p)

NAME

       connect-tunnel - Create CONNECT tunnels through HTTP proxies

SYNOPSIS

       connect-tunnel [ -Lv ] [ -A user:pass ] [ -P proxy:port ]
		      [ -C controlport ] [ -T port:host:hostport ]

DESCRIPTION

       connect-tunnel sets up tunneled connections to external hosts by redirecting connections to local ports towards thoses hosts/ports through
       a HTTP proxy.

       connect-tunnel makes use of the HTTP "CONNECT" method to ask the proxy to create a tunnel to an outside server. Be aware that some proxies
       are set up to deny outside tunnels (either to ports other than 443 or outside a specified set of outside hosts).

OPTIONS

       The program follows the usual GNU command line syntax, with long options starting with two dashes.

       -A, --proxy-authentication user:password
	   Proxy authentication information.

	   Please note that all the authentication schemes supported by "LWP::UserAgent" are supported (we use an "LWP::UserAgent" internally to
	   contact the proxy).

       -C, --control-port controlport
	   The port to which one can connect to issue control commands to connect-tunnel.

	   See "CONTROL CONNECTIONS" for more details about the available commands.

       -L, --local-only
	   Create the tunnels so that they will only listen on "localhost".  Thus, only connections originating from the machine that runs
	   connect-tunnel will be accepted.

	   That was the default behaviour in connect-tunnel version 0.02.

       -P, --proxy proxy[:port]
	   The proxy is required to connect the tunnels.  If no port is given, 8080 is used by default.

	   See also "ENVIRONMENT VARIABLES".

       -T, --tunnel port:host:hostport
	   Specifies that the given port on the local host is to be forwarded to the given host and hostport on the remote side. This works by
	   allocating a socket to listen to port on the local side, and whenever a connection is made to this port, connect-tunnel forwards it to
	   the proxy (with the credentials, if required), which in turn forwards it to the final destination.

	   Note that this does not imply the use of any cryptographic system (SSL or any other). This is a simple TCP redirection. The security if
	   any, is the one provided by the protocol used to connect to the destination through connect-tunnel.

	   On Unix systems, only root can forward privileged ports.

	   Note that you can setup tunnels to multiple destinations, by using the --tunnel option several times.

       -U, --user-agent string
	   Specify User-Agent value to send in HTTP requests.  The default is to send "connect-tunnel/version".

       -v, --verbose
	   Verbose output.

	   This option can be used several times for more verbose output.

EXAMPLES

       To connect to a SSH server running on "ssh.example.com", on port 443, through the proxy "proxy.company.com", running on port 8080, use the
       following command:

	   connect-tunnel -P proxy.company.com:8080 -T 22:ssh.example.com:443

       And now point your favorite ssh client to the machine running connect-tunnel.

       You can also emulate a "standard" user-agent:

	   connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
			  -P proxy.company.com:8080 -T 22:ssh.example.com:443

       connect-tunnel can easily use your proxy credentials to connect outside:

	   connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
			  -P proxy.company.com:8080 -T 22:ssh.example.com:443
			  -A book:s3kr3t

       But if you don't want anybody else to connect to your tunnels and through the proxy with your credentials, use the --local-only option:

	connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
		       -P proxy.company.com:8080 -T 22:ssh.example.com:443
		       -A book:s3kr3t -L

       If you have several destinations, there is no need to run several instances of connect-tunnel:

	connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
		       -P proxy.company.com:8080 -A book:s3kr3t -L
		       -T 22:ssh.example.com:443
		       -T 222:ssh2.example.com:443

       But naturally, you will need to correctly set up the ports in your clients.

       Mmm, such a long command line would perfectly fit in an alias or a .BAT file. ";-)"

ENVIRONMENT VARIABLES

       The environment variable "HTTP_PROXY" can be used to provide a proxy definition.

       The environment variable is overriden by the --proxy option, if passed to connect-tunnel.

AUTHOR

       Philippe "BooK" Bruhat, "<book@cpan.org>".

       I seem to have re-invented a well-known wheel with that script, but at least, I hope I have added a few interesting options to it.

SCRIPT HISTORY

       The first version of the script was a quick hack that let me go through a corporate proxy.

       Version 0.02 and version 0.03 were released on CPAN in 2003.

       Version 0.04 sits half-finished in a CVS repository at home: I couldn't decypher the spaghetti of my data structures any more. ":-("

       Version 0.05 (and higher) are based on "Net::Proxy", and included with the "Net::Proxy" distribution.

       Even though it's not rocket science, connect-tunnel has been cited in at least one academic works:

       o   HTTP Tunnels Through Proxies, Daniel Alman

	   Available at SANS InfoSec Reading Room: Covert Channels <http://www.sans.org/rr/whitepapers/covert/>

	   Direct link: <http://www.sans.org/rr/whitepapers/covert/1202.php>

COPYRIGHT

       Copyright 2003-2007, Philippe Bruhat. All rights reserved.

LICENSE

       This module is free software; you can redistribute it or modify it under the same terms as Perl itself.

perl v5.10.1							    2009-10-18							CONNECT-TUNNEL(1p)
All times are GMT -4. The time now is 10:44 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy