Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check out https://isc.sans.edu/api/threatlist/shodan?json , they update that list daily The list is in json format, a simple script can translate that into a text file, like the below line -- curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"' --
Also check out https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/231... for some info on how to incorporate that into iptables. A simple script can also be made for mikrotik, or you can use a central BGP router on linux (like exabgp/quagga/frr/...) which sends those IP's to it's peers which can then blackhole that traffic from those IP's
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Brian Kantor Sent: vrijdag 25 mei 2018 10:22 To: AMPRNet working group 44net@mailman.ampr.org Subject: Re: [44net] VPNFilter Router Malware
I'm not at all sure that Shodan is blocked on amprgw. There are more than 2,000 IP addresses that are blocked, with more being added from time to time, plus there are a number of tcp and udp destination ports that are blocked from all IP addresses, but there's no way to be sure that these lists include all Shodan and other scanners.
I have found that most opt-out forms are a waste of time, if indeed they don't have the opposite effect of inviting additional scanning. - Brian
On Fri, May 25, 2018 at 09:38:07AM +0200, Rob Janssen wrote:
especially before Shodan was blocked on AMPR...
Has Shodan been blocked on amprgw or have they been convinced to stop scanning AMPRnet? There are still various agressive scanners active from internet, and I have some scripts to automatically add them to a blocklist but it still is an ever increasing load on the network.
For example, "stretchoid.com" is an agressive scanner that changes addresses all the time (but does keep reverse-DNS records on their virtual servers so easy to identify).
They do have an opt-out form but it is a NOP. (I have completed it 3 times at 1-month intervals but no reply and no effect on the scanning... maybe Brian should try it as he is listed in the whois as the owner of NET44)
Of course there are others, like security.ipip.net and binaryedge.ninja. Plus the many many other scanners, "researchers", etc.
Rob
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net