You did what? This is not very nice!
I Really dont like this! Making everyone blind for a pressing security issue is not the fix! Please undo this, censorship is not right.
Adding to that, i use shodan and its alternatives more than frequently, and i would like to be ablo to doublecheck my own infra via those web services.
M.v.g. Pb0fh Roy van Dongen
On 25 May 2018, at 11:07, Rob Janssen pe1chl@amsat.org wrote:
I'm not at all sure that Shodan is blocked on amprgw. There are more than 2,000 IP addresses that are blocked, with more being added from time to time, plus there are a number of tcp and udp destination ports that are blocked from all IP addresses, but there's no way to be sure that these lists include all Shodan and other scanners.
I have blocked some known Shodan addresses and subnets, and indeed even a hoster that is known to be a cesspool and accomodates Shodan and the likes:
66.240.192.138 # census8.shodan.io 66.240.205.34 # malware-hunter.census.shodan.io 66.240.219.146 # burger.census.shodan.io 66.240.236.119 # census6.shodan.io 71.6.128.0/17 # cesspool! (including shodan.io, project sonar) 80.82.64.0/20 # ECATEL/QUASI (including shodan.io 80.82.77.139) 82.221.105.6 # census10.shodan.io 82.221.105.7 # census11.shodan.io 89.248.160.0/20 # ECATEL/QUASI (incl shodan.io 89.248.167.131 89.248.172.16) 93.174.88.0/21 # ECATEL/QUASI (incl shodan.io 93.174.95.106) 94.102.48.0/20 # ECATEL/QUASI (incl shodan.io 94.102.49.190 94.102.49.193) 107.6.151.192 # security.census.shodan.io 107.6.151.193 # security.census.shodan.io 107.6.151.194 # security.census.shodan.io 107.6.151.195 # security.census.shodan.io 185.163.109.66 # goldfish.census.shodan.io 185.181.102.18 # turtle.census.shodan.io 198.20.69.72/29 # shodan.io 198.20.69.96/29 # shodan.io 198.20.70.112/29 # shodan.io 198.20.87.96/29 # shodan.io 198.20.99.128/29 # shodan.io
(of course many others, these are just the shodan.io entries)
I also have some iptables rules that capture TCP SYN to addresses that are not registered in DNS and forwards them to an nflog socket to be picked up by some scripts that finds those that are repeat offenders. Those are logged as candidates for blocking. But I don't bother to block everything, I run reverse-DNS on them to see if it has some signature patterns like "research", "scan" etc or one of the known names like shodan.io stretchoid.com etc. And irregularly I just sort the entire list and glance over it to see if there are clusters of addresses and do a whois to see if they belong to some common network. Names like DigitalOcean pop up quite regularly but of course they are just cloud hosters that could also host bonafide services.
Rob
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Le 25/05/2018 à 12:30, info@pb0fh.nl a écrit :
Adding to that, i use shodan and its alternatives more than frequently, and i would like to be ablo to doublecheck my own infra via those web services.
I would like to be able to scan my infra, but I wouldnt' want thousands of botnets to do so :-)
I would disable my blacklist during my security scans, then re-enable it when done.
Could you share your favorite web security scanners with us ?
73 de TK1BI
-
info@pb0fh.nl -
Toussaint OTTAVI