I have a server in our DMZ that only has ports 80 and 443 open to the public networks. It runs webmail for our 10K employees' accounts. It's not necessary for our employees to access the server from anywhere except North America so I have blocked access from most of the world due to occasional phished and compromised accounts.
I LOG then DROP most CIDR blocks from RIPE, APNIC, LACNIC and AFRINIC using iptables on the server. I noticed that once I enabled iptables several IP addresses continually knock on port 443. This has gone on for months and seems to be an automated process from a network located in Mexico City.
My question is this:
Why would someone continually try to access the https port for months on end 100s of times an hour when clearly they must see they are being denied access to the server?
The actual IP address appears to be a DSL connection and must be a compromised computer. Over the past several months since I turned on iptables this has continued.
I'm really curious as to the purpose of this. Does anyone have any ideas?
Yes I have it's from an ISP in Mexico City and appears to be on a DSL line.
---------- Post updated at 09:05 AM ---------- Previous update was at 08:47 AM ----------
Also, yes I'm sure it's a bot of some kind. But it would seem to me that for the bot controller it would be a big waste of his 'resources' since I've block any source and destination packets that are TCP and UDP for all of LACNIC, APNIC, RIPE and AFRINIC for months now.
Iptables is not perfect and even when you use DROP rather than REJECT a port scanner can tell that DROP is in use by doing a SYN scan. If a server is on the port the SYN will get an ACK, otherwise it gets a RST. So the bad guy knows that he is getting nailed by a DROP rule and there is a live server being protected by the DROP rule. So he sets up an infinite loop trying to connect.
He hopes you will someday have a problem, wonder if iptables is causing it, and try dropping iptables just for a few seconds. Or maybe you will change your configuration and do a quick "service iptables restart". Most iptable configs allow ESTABLISHED connections to persist so once he connects... he is in.
Thanks to all for your answers. I really appreciate it.
@corona688...Indeed it is a proxy into our private nets. Excellent point...
@Perderabo - Excellent...this makes sense too. I had the DROP and REJECT functionality 'switched' in my original understanding. What you described makes perfect sense and explains to me what I was asking and what is going on.