That is an interesting event. There should be nothing default on our images causing this, the relevant firewall rules should have to be added by the user or software they had installed. I’m sticking with “should” on the off chance that I’m missing a variable. There won’t be anything on the network side for that for sure at least. If you have a proxy between you and the droplet, like CloudFlare for example, it might be a reasonable theory that it is getting caught in a web application firewall.
I will say that our Wordpress one-click uses fail2ban to block IPs for failed login attempts to Wordpress, but that’s a very specific scenario and it’s IP specific rather than mac address.
Perhaps a packet capture on both ends might reveal something, though a bit heavy handed. I’ll keep thinking about it throughout the day to see if anything else comes to mind. I’m not expecting anything to, but you never know.