On 1/3/2019 3:06 PM, Jordan Geoghegan wrote:
> Hello,
>
> I wrote a small script called 'pf-badhost' to block shodan and other
> annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html
> to see the script.
>
> pf-badhost also blocks ssh bruteforcers and other annoyances by loading
> a list of regularly updated badhost lists from trusted sources. If you
> only want to block shodan specifically, just comment out the few lines
> that download the other blocklists, and you should be good to go. I've
> had a number of people give good feedback on it, and they've reported it
> blocking the scanners and baddies quite effectively; BSDNow also did a
> piece about it, so it seems to work alright.
>
>
> Cheers,
>
> Jordan
>
>
> On 01/02/19 22:15, Antonino Sidoti wrote:
>> Hi,
>>
>> I wish to block all attempts by "shodan.io". Basically I run an
>> OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of
>> traffic all stemming from "shodan.io". I have PF configured so I was
>> wondering how to block such a domain from making any attempts to
>> connect to my server. There is little information about Public IP
>> addresses being used by "shodan.io" scanner, so making an IP list for
>> PF may be futile.
>>
>> Could someone suggest a possible option? I was thinking along the
>> lines of "relayd" or "squid proxy". My server is hosted at Vultr and
>> has a single WAN interface with Public IP. There is no internal LAN
>> interface.
>>
>> For those who do not know about "shodan.io", please do a search and
>> you will discover what it does.
>>
>> Regards
>>
>> Nino
>>
>
I've always been a fan of just setting up a simple script to open a
couple ports with ncat, then when a client connects to the port, it gets
shoved into pf table that has a `drop' rule attached to it. No messing
about with blocklists or proxies or anything else.
ncat listens on various low-number ports that nothing is using on my
servers. A little ncat, sed, pfctl, and a dash of cron are able to do
the job just fine. cron is just there to start the ncat processes at
boot and run an hourly script to do a pfctl -T expire <table> 86400 to
keep the table clean of old attackers.
Shodan isn't the only scanner out there, so there is no point in just
blocking it. And I figure if someone is trying to connect to unused
ports on my system, they probably aren't up to any good. If you aren't
aware that my machine isn't legitimately listening on 22 or 23, or 443,
I don't want to talk to you.
I usually just run on port 22 and move sshd to a different port, that
seems to stop >95% of attackers.
No comments:
Post a Comment