> A little ncat, sed, pfctl, and a dash of cron are able to do
> the job just fine. cron is just there to start the ncat processes at
> boot and run an hourly script to do a pfctl -T expire <table> 86400 to
> keep the table clean of old attackers.
Sounds good. Could you share your script here?
On Thu, 3 Jan 2019 15:20:44 -0800
Misc User <OpenBSD@leviathanresearch.net> wrote:
> On 1/3/2019 3:06 PM, Jordan Geoghegan wrote:
> > Hello,
> >
> > I wrote a small script called 'pf-badhost' to block shodan and other
> > annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html
> > to see the script.
> >
> > pf-badhost also blocks ssh bruteforcers and other annoyances by loading
> > a list of regularly updated badhost lists from trusted sources. If you
> > only want to block shodan specifically, just comment out the few lines
> > that download the other blocklists, and you should be good to go. I've
> > had a number of people give good feedback on it, and they've reported it
> > blocking the scanners and baddies quite effectively; BSDNow also did a
> > piece about it, so it seems to work alright.
> >
> >
> > Cheers,
> >
> > Jordan
> >
> >
> > On 01/02/19 22:15, Antonino Sidoti wrote:
> >> Hi,
> >>
> >> I wish to block all attempts by "shodan.io". Basically I run an
> >> OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of
> >> traffic all stemming from "shodan.io". I have PF configured so I was
> >> wondering how to block such a domain from making any attempts to
> >> connect to my server. There is little information about Public IP
> >> addresses being used by "shodan.io" scanner, so making an IP list for
> >> PF may be futile.
> >>
> >> Could someone suggest a possible option? I was thinking along the
> >> lines of "relayd" or "squid proxy". My server is hosted at Vultr and
> >> has a single WAN interface with Public IP. There is no internal LAN
> >> interface.
> >>
> >> For those who do not know about "shodan.io", please do a search and
> >> you will discover what it does.
> >>
> >> Regards
> >>
> >> Nino
> >>
> >
>
>
> I've always been a fan of just setting up a simple script to open a
> couple ports with ncat, then when a client connects to the port, it gets
> shoved into pf table that has a `drop' rule attached to it. No messing
> about with blocklists or proxies or anything else.
>
> ncat listens on various low-number ports that nothing is using on my
> servers. A little ncat, sed, pfctl, and a dash of cron are able to do
> the job just fine. cron is just there to start the ncat processes at
> boot and run an hourly script to do a pfctl -T expire <table> 86400 to
> keep the table clean of old attackers.
>
> Shodan isn't the only scanner out there, so there is no point in just
> blocking it. And I figure if someone is trying to connect to unused
> ports on my system, they probably aren't up to any good. If you aren't
> aware that my machine isn't legitimately listening on 22 or 23, or 443,
> I don't want to talk to you.
>
> I usually just run on port 22 and move sshd to a different port, that
> seems to stop >95% of attackers.
>
>
--
radek
No comments:
Post a Comment