Continual knocking on port 443 from foreign IP address


 
Thread Tools Search this Thread
Special Forums Cybersecurity Continual knocking on port 443 from foreign IP address
# 1  
Old 03-21-2014
Continual knocking on port 443 from foreign IP address

Hello,

I have a server in our DMZ that only has ports 80 and 443 open to the public networks. It runs webmail for our 10K employees' accounts. It's not necessary for our employees to access the server from anywhere except North America so I have blocked access from most of the world due to occasional phished and compromised accounts.

I LOG then DROP most CIDR blocks from RIPE, APNIC, LACNIC and AFRINIC using iptables on the server. I noticed that once I enabled iptables several IP addresses continually knock on port 443. This has gone on for months and seems to be an automated process from a network located in Mexico City.

My question is this:

Why would someone continually try to access the https port for months on end 100s of times an hour when clearly they must see they are being denied access to the server?

The actual IP address appears to be a DSL connection and must be a compromised computer. Over the past several months since I turned on iptables this has continued.

I'm really curious as to the purpose of this. Does anyone have any ideas?

Thanks in advance
# 2  
Old 03-21-2014
Bots?
Ever looked where the IP is from?
# 3  
Old 03-21-2014
Yes I have it's from an ISP in Mexico City and appears to be on a DSL line.

---------- Post updated at 09:05 AM ---------- Previous update was at 08:47 AM ----------

Also, yes I'm sure it's a bot of some kind. But it would seem to me that for the bot controller it would be a big waste of his 'resources' since I've block any source and destination packets that are TCP and UDP for all of LACNIC, APNIC, RIPE and AFRINIC for months now.
# 4  
Old 03-21-2014
If your IP ever offered any kind of proxy service, the internet will never forget.
# 5  
Old 03-21-2014
Quote:
Originally Posted by randomxs

Why would someone continually try to access the https port for months on end 100s of times an hour when clearly they must see they are being denied access to the server?


Iptables is not perfect and even when you use DROP rather than REJECT a port scanner can tell that DROP is in use by doing a SYN scan. If a server is on the port the SYN will get an ACK, otherwise it gets a RST. So the bad guy knows that he is getting nailed by a DROP rule and there is a live server being protected by the DROP rule. So he sets up an infinite loop trying to connect.

He hopes you will someday have a problem, wonder if iptables is causing it, and try dropping iptables just for a few seconds. Or maybe you will change your configuration and do a quick "service iptables restart". Most iptable configs allow ESTABLISHED connections to persist so once he connects... he is in.
This User Gave Thanks to Perderabo For This Post:
# 6  
Old 03-21-2014
Thanks to all for your answers. I really appreciate it.

@corona688...Indeed it is a proxy into our private nets. Excellent point...

@Perderabo - Excellent...this makes sense too. I had the DROP and REJECT functionality 'switched' in my original understanding. What you described makes perfect sense and explains to me what I was asking and what is going on.

Thanks
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. IP Networking

netstat local and foreign address relationship.

Hi All, Can you please help me in understanding the relationship between local and foreign address in the output of netstat -an. Output 1 ---------- 162.103.162.37.50224 162.103.162.35.9511 49640 0 49640 0 ESTABLISHED 162.103.162.37.50263 162.103.162.35.9512 49640 0... (1 Reply)
Discussion started by: Girish19
1 Replies

2. HP-UX

How to open 443 port in HP-UX?

Hello Experts, I want to open the port 443 on my HP-UX system. can you please help ? Thanks in advance. (1 Reply)
Discussion started by: purushottamaher
1 Replies

3. UNIX for Advanced & Expert Users

What is the foreign address?

hi i want to open port 9100 and the connect server could not to connect to my application this my results of netstat tulpn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:9100 ... (3 Replies)
Discussion started by: mohammad alshar
3 Replies

4. Solaris

Allow usage of port 80 and 443

I am trying to install Sun Java Web Server using an ordinary user with no root/sudo rights. I need to allow this web server to use ports 80 and 443. How can this be done?:confused: (1 Reply)
Discussion started by: emealogistics
1 Replies

5. Cybersecurity

Listening to port when no IP address is assigned

Hi Pals Consider a case where the network interface is there and it is connected to a network. Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig) I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies

6. IP Networking

Configure squid to listen on any IP address with port 80

Hi, I am trying to configure a transparent squid cache. When I try to use the below option in squid.conf, squid listens on port 80 only for the IP address configured on the system's interface. http_port 80 transparent But I want squid to accept connections for any IP address on port 80.... (3 Replies)
Discussion started by: Learner32
3 Replies

7. Cybersecurity

Port Address Changing....

Is there a software solution to stop intruders from changing my port addresses? Causes IPmap to crash. Platform is OS/X Leopard. (1 Reply)
Discussion started by: aleatory
1 Replies

8. Solaris

How To Change 5 port Ip Address Solaris?

Hello i'm newbie in solaris, anybody know how to change five port solaris 10? exmpe: bge0, bge1, bge2, etc. anybody can help me with the script implementasi... and logical how solaris work. thank so much:b: (2 Replies)
Discussion started by: yanto85
2 Replies

9. UNIX for Advanced & Expert Users

Sunblade shows 2 MAC address on same port

Please, can someone tell me why my SunBlade would be showing 2 different but similar MAC addresses on the same port on the Switch? The switch shows all other Workstations with 1 MAC on each port, but the SunBlade is showing 2. Thanks in advance for any insight.... (1 Reply)
Discussion started by: GoneCrazy
1 Replies
Login or Register to Ask a Question