03-21-2014
Continual knocking on port 443 from foreign IP address
Hello,
I have a server in our DMZ that only has ports 80 and 443 open to the public networks. It runs webmail for our 10K employees' accounts. It's not necessary for our employees to access the server from anywhere except North America so I have blocked access from most of the world due to occasional phished and compromised accounts.
I LOG then DROP most CIDR blocks from RIPE, APNIC, LACNIC and AFRINIC using iptables on the server. I noticed that once I enabled iptables several IP addresses continually knock on port 443. This has gone on for months and seems to be an automated process from a network located in Mexico City.
My question is this:
Why would someone continually try to access the https port for months on end 100s of times an hour when clearly they must see they are being denied access to the server?
The actual IP address appears to be a DSL connection and must be a compromised computer. Over the past several months since I turned on iptables this has continued.
I'm really curious as to the purpose of this. Does anyone have any ideas?
Thanks in advance
9 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Please, can someone tell me why my SunBlade would be showing 2 different but similar MAC addresses on the same port on the Switch? The switch shows all other Workstations with 1 MAC on each port, but the SunBlade is showing 2. Thanks in advance for any insight.... (1 Reply)
Discussion started by: GoneCrazy
1 Replies
2. Solaris
Hello i'm newbie in solaris, anybody know how to change five port solaris 10?
exmpe: bge0, bge1, bge2, etc.
anybody can help me with the script implementasi... and logical how solaris work.
thank so much:b: (2 Replies)
Discussion started by: yanto85
2 Replies
3. Cybersecurity
Is there a software solution to stop intruders from changing my port addresses?
Causes IPmap to crash.
Platform is OS/X Leopard. (1 Reply)
Discussion started by: aleatory
1 Replies
4. IP Networking
Hi,
I am trying to configure a transparent squid cache. When I try to use the below option in squid.conf, squid listens on port 80 only for the IP address configured on the system's interface.
http_port 80 transparent
But I want squid to accept connections for any IP address on port 80.... (3 Replies)
Discussion started by: Learner32
3 Replies
5. Cybersecurity
Hi Pals
Consider a case where the network interface is there and it is connected to a network.
Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig)
I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies
6. Solaris
I am trying to install Sun Java Web Server using an ordinary user with no root/sudo rights.
I need to allow this web server to use ports 80 and 443. How can this be done?:confused: (1 Reply)
Discussion started by: emealogistics
1 Replies
7. UNIX for Advanced & Expert Users
hi
i want to open port 9100 and the connect server could not to connect to my application
this my results of netstat tulpn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:9100 ... (3 Replies)
Discussion started by: mohammad alshar
3 Replies
8. HP-UX
Hello Experts,
I want to open the port 443 on my HP-UX system.
can you please help ?
Thanks in advance. (1 Reply)
Discussion started by: purushottamaher
1 Replies
9. IP Networking
Hi All,
Can you please help me in understanding the relationship between local and foreign address in the output of netstat -an.
Output 1
----------
162.103.162.37.50224 162.103.162.35.9511 49640 0 49640 0 ESTABLISHED
162.103.162.37.50263 162.103.162.35.9512 49640 0... (1 Reply)
Discussion started by: Girish19
1 Replies
LEARN ABOUT NETBSD
rfc6056
RFC6056(7) BSD Miscellaneous Information Manual RFC6056(7)
NAME
rfc6056 -- port randomization algorithms
DESCRIPTION
The rfc6056 algorithms are used in order to randomize the port allocation of outgoing UDP packets, in order to provide protection from a
series of ``blind'' attacks based on the attacker's ability to guess the sequence of ephemeral ports associated with outgoing packets. For
more information consult RFC 6056.
The individual algorithms are described below:
The RFC 6056 algorithms
The following algorithms are available:
bsd This is the default NetBSD port selection algorithm, which starts from anonportmax and proceeds decreasingly through the avail-
able ephemeral ports.
random_start Select ports randomly from the available ephemeral ports. In case a collision with a local port is detected, the algorithm
proceeds decreasingly through the sequence of ephemeral ports until a free port is found. Note that the random port selection
algorithms are not guaranteed to find a free port.
random_pick Select ports randomly from the available ephemeral ports. In case a collision with a local port is detected the algorithm
tries selecting a new port randomly until a free port is found.
hash Select ports using a md5(3) hash of the local address, the foreign address, and the foreign port. Note that in the case of a
bind(2) call some of this information might be unavailable and the port selection is delayed until the time of a connect(2)
call, performed either explicitly or up calling sendto(2).
doublehash Select ports using a md5(3) hash of the local address, foreign address, and foreign port coupled with a md5(3) hash of the same
components obtained using a separate table that is associated with a subset of all outgoing connections. The same considera-
tions regarding late connection as in the case of hash apply.
randinc Use random increments in order to select the next port.
SYSCTL CONTROLS
The following sysctl controls are available for selecting the default port randomization algorithm:
sysctl name Type Changeable
net.inet.udp.rfc6056.available string no
net.inet.udp.rfc6056.selected string yes
net.inet6.udp6.rfc6056.available string no
net.inet6.udp6.rfc6056.selected string yes
SOCKET OPTIONS
The socket option UDP_RFC6056ALGO at the IPPROTO_UDP level can be used with a string argument specifying the algorithm's name in order to
select the port randomization algorithm for a specific socket. For more info see setsockopt(2).
SEE ALSO
setsockopt(2), sysctl(3), sysctl(7)
HISTORY
The rfc6056 algorithms first appeared in NetBSD 6.0.
BSD
August 25, 2011 BSD