03-21-2014
Continual knocking on port 443 from foreign IP address
Hello,
I have a server in our DMZ that only has ports 80 and 443 open to the public networks. It runs webmail for our 10K employees' accounts. It's not necessary for our employees to access the server from anywhere except North America so I have blocked access from most of the world due to occasional phished and compromised accounts.
I LOG then DROP most CIDR blocks from RIPE, APNIC, LACNIC and AFRINIC using iptables on the server. I noticed that once I enabled iptables several IP addresses continually knock on port 443. This has gone on for months and seems to be an automated process from a network located in Mexico City.
My question is this:
Why would someone continually try to access the https port for months on end 100s of times an hour when clearly they must see they are being denied access to the server?
The actual IP address appears to be a DSL connection and must be a compromised computer. Over the past several months since I turned on iptables this has continued.
I'm really curious as to the purpose of this. Does anyone have any ideas?
Thanks in advance
9 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Please, can someone tell me why my SunBlade would be showing 2 different but similar MAC addresses on the same port on the Switch? The switch shows all other Workstations with 1 MAC on each port, but the SunBlade is showing 2. Thanks in advance for any insight.... (1 Reply)
Discussion started by: GoneCrazy
1 Replies
2. Solaris
Hello i'm newbie in solaris, anybody know how to change five port solaris 10?
exmpe: bge0, bge1, bge2, etc.
anybody can help me with the script implementasi... and logical how solaris work.
thank so much:b: (2 Replies)
Discussion started by: yanto85
2 Replies
3. Cybersecurity
Is there a software solution to stop intruders from changing my port addresses?
Causes IPmap to crash.
Platform is OS/X Leopard. (1 Reply)
Discussion started by: aleatory
1 Replies
4. IP Networking
Hi,
I am trying to configure a transparent squid cache. When I try to use the below option in squid.conf, squid listens on port 80 only for the IP address configured on the system's interface.
http_port 80 transparent
But I want squid to accept connections for any IP address on port 80.... (3 Replies)
Discussion started by: Learner32
3 Replies
5. Cybersecurity
Hi Pals
Consider a case where the network interface is there and it is connected to a network.
Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig)
I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies
6. Solaris
I am trying to install Sun Java Web Server using an ordinary user with no root/sudo rights.
I need to allow this web server to use ports 80 and 443. How can this be done?:confused: (1 Reply)
Discussion started by: emealogistics
1 Replies
7. UNIX for Advanced & Expert Users
hi
i want to open port 9100 and the connect server could not to connect to my application
this my results of netstat tulpn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:9100 ... (3 Replies)
Discussion started by: mohammad alshar
3 Replies
8. HP-UX
Hello Experts,
I want to open the port 443 on my HP-UX system.
can you please help ?
Thanks in advance. (1 Reply)
Discussion started by: purushottamaher
1 Replies
9. IP Networking
Hi All,
Can you please help me in understanding the relationship between local and foreign address in the output of netstat -an.
Output 1
----------
162.103.162.37.50224 162.103.162.35.9511 49640 0 49640 0 ESTABLISHED
162.103.162.37.50263 162.103.162.35.9512 49640 0... (1 Reply)
Discussion started by: Girish19
1 Replies
LEARN ABOUT DEBIAN
pyroman
PYROMAN(8) System Manager's Manual PYROMAN(8)
NAME
pyroman - a firewall configuration utility
SYNOPSIS
pyroman
[ -hvnspP ] [ -r RULESDIR ] [ -t SECONDS ]
[ --help ] [ --version ] [ --safe ] [ --no-act ]
[ --print ] [ --print-verbose ] [ --rules=RULESDIR ]
[ --timeout=SECONDS ] [ safe ]
DESCRIPTION
pyroman is a firewall configuration utility.
It will compile a set of configuration files to iptables statements to setup IP packet filtering for you.
While it is not necessary for operating and using Pyroman, you should have understood how IP, TCP, UDP, ICMP and the other commonly used
Internet protocols work and interact. You should also have understood the basics of iptables in order to make use of the full
functionality.
pyroman does not try to hide all the iptables complexity from you, but tries to provide you with a convenient way of managing a complex
networks firewall. For this it offers a compact syntax to add new firewall rules, while still exposing access to add arbitrary iptables
rules.
OPTIONS
-r RULESDIR,--rules=RULES
Load the rules from directory RULESDIR instead of the default directory (usually /etc/pyroman )
-t SECONDS,--timeout=SECONDS
Wait SECONDS seconds after applying the changes for the user to type OK to confirm he can still access the firewall. This implies
--safe but allows you to use a different timeout.
-h, --help
Print a summary of the command line options and exit.
-V, --version
Print the version number of pyroman and exit.
-s, --safe, safe
When the firewall was committed, wait 30 seconds for the user to type OK to confirm, that he can still access the firewall (i.e. the
network connection wasn't blocked by the firewall). Otherwise, the firewall changes will be undone, and the firewall will be
restored to the previous state. Use the --timeout=SECONDS option to change the timeout.
-n, --no-act
Don't actually run iptables. This can be used to check if pyroman accepts the configuration files.
-p, --print
Instead of running iptables, output the generated rules.
-P, --print-verbose
Instead of running iptables, output the generated rules. Each statement will have one comment line explaining how this rules was
generated. This will usually include the filename and line number, and is useful for debugging.
CONFIGURATION
Configuration of pyroman consists of a number of files in the directory /etc/pyroman. These files are in python syntax, although you do
not need to be a python programmer to use these rules. There is only a small number of statements you need to know:
add_host
Define a new host or network
add_interface
Define a new interface (group)
add_service
Add a new service alias (note that you can always use e.g. www/tcp to reference the www tcp service as defined in /etc/services)
add_nat
Define a new NAT (Network Address Translation) rule
allow Allow a service, client, server combination
reject Reject access for this service, client, server combination
drop Drop packets for this service, client, server combination
add_rule
Add a rule for this service, client, server and target combination
iptables
Add an arbitrary iptables statement to be executed at beginning
iptables_end
Add an arbitrary iptables statement to be executed at the end
Detailed parameters for these functions can be looked up by caling
cd /usr/share/pyroman
pydoc ./commands.py
BUGS
None known as of pyroman-0.4 release
AUTHOR
pyroman was written by Erich Schubert <erich@debian.org>
SEE ALSO
iptables(8), iptables-restore(8) iptables-load(8)
PYROMAN(8)