25 May
2018
25 May
'18
5:30 a.m.
You did what? This is not very nice!
I Really dont like this! Making everyone blind for a pressing security
issue is not the fix! Please undo this, censorship is not right.
Adding to that, i use shodan and its alternatives more than frequently,
and i would like to be ablo to doublecheck my own infra via those web
services.
M.v.g.
Pb0fh Roy van Dongen
On 25 May 2018, at 11:07, Rob Janssen <pe1chl(a)amsat.org> wrote:
I'm not at
all sure that Shodan is blocked on amprgw. There are
more than 2,000 IP addresses that are blocked, with more being added
from time to time, plus there are a number of tcp and udp destination
ports that are blocked from all IP addresses, but there's no way
to be sure that these lists include all Shodan and other scanners.
I have blocked some known Shodan addresses and subnets, and indeed even
a hoster that is known to be a cesspool and accomodates Shodan and the
likes:
66.240.192.138 # census8.shodan.io
66.240.205.34 # malware-hunter.census.shodan.io
66.240.219.146 # burger.census.shodan.io
66.240.236.119 # census6.shodan.io
71.6.128.0/17 # cesspool! (including shodan.io, project sonar)
80.82.64.0/20 # ECATEL/QUASI (including shodan.io 80.82.77.139)
82.221.105.6 # census10.shodan.io
82.221.105.7 # census11.shodan.io
89.248.160.0/20 # ECATEL/QUASI (incl shodan.io 89.248.167.131
89.248.172.16)
93.174.88.0/21 # ECATEL/QUASI (incl shodan.io 93.174.95.106)
94.102.48.0/20 # ECATEL/QUASI (incl shodan.io 94.102.49.190
94.102.49.193)
107.6.151.192 # security.census.shodan.io
107.6.151.193 # security.census.shodan.io
107.6.151.194 # security.census.shodan.io
107.6.151.195 # security.census.shodan.io
185.163.109.66 # goldfish.census.shodan.io
185.181.102.18 # turtle.census.shodan.io
198.20.69.72/29 # shodan.io
198.20.69.96/29 # shodan.io
198.20.70.112/29 # shodan.io
198.20.87.96/29 # shodan.io
198.20.99.128/29 # shodan.io
(of course many others, these are just the shodan.io entries)
I also have some iptables rules that capture TCP SYN to addresses that
are not registered in DNS and
forwards them to an nflog socket to be picked up by some scripts that
finds those that are repeat
offenders. Those are logged as candidates for blocking. But I don't
bother to block everything,
I run reverse-DNS on them to see if it has some signature patterns like
"research", "scan" etc or
one of the known names like shodan.io stretchoid.com etc.
And irregularly I just sort the entire list and glance over it to see
if there are clusters of
addresses and do a whois to see if they belong to some common network.
Names like DigitalOcean
pop up quite regularly but of course they are just cloud hosters that
could also host bonafide
services.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net