especially before Shodan was blocked on AMPR...
Has Shodan been blocked on amprgw or have they been convinced to stop scanning AMPRnet? There are still various agressive scanners active from internet, and I have some scripts to automatically add them to a blocklist but it still is an ever increasing load on the network.
For example, "stretchoid.com" is an agressive scanner that changes addresses all the time (but does keep reverse-DNS records on their virtual servers so easy to identify).
They do have an opt-out form but it is a NOP. (I have completed it 3 times at 1-month intervals but no reply and no effect on the scanning... maybe Brian should try it as he is listed in the whois as the owner of NET44)
Of course there are others, like security.ipip.net and binaryedge.ninja. Plus the many many other scanners, "researchers", etc.
Rob
I'm not at all sure that Shodan is blocked on amprgw. There are more than 2,000 IP addresses that are blocked, with more being added from time to time, plus there are a number of tcp and udp destination ports that are blocked from all IP addresses, but there's no way to be sure that these lists include all Shodan and other scanners.
I have found that most opt-out forms are a waste of time, if indeed they don't have the opposite effect of inviting additional scanning. - Brian
On Fri, May 25, 2018 at 09:38:07AM +0200, Rob Janssen wrote:
especially before Shodan was blocked on AMPR...
Has Shodan been blocked on amprgw or have they been convinced to stop scanning AMPRnet? There are still various agressive scanners active from internet, and I have some scripts to automatically add them to a blocklist but it still is an ever increasing load on the network.
For example, "stretchoid.com" is an agressive scanner that changes addresses all the time (but does keep reverse-DNS records on their virtual servers so easy to identify).
They do have an opt-out form but it is a NOP. (I have completed it 3 times at 1-month intervals but no reply and no effect on the scanning... maybe Brian should try it as he is listed in the whois as the owner of NET44)
Of course there are others, like security.ipip.net and binaryedge.ninja. Plus the many many other scanners, "researchers", etc.
Rob
Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check out https://isc.sans.edu/api/threatlist/shodan?json , they update that list daily The list is in json format, a simple script can translate that into a text file, like the below line -- curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"' --
Also check out https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/231... for some info on how to incorporate that into iptables. A simple script can also be made for mikrotik, or you can use a central BGP router on linux (like exabgp/quagga/frr/...) which sends those IP's to it's peers which can then blackhole that traffic from those IP's
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Brian Kantor Sent: vrijdag 25 mei 2018 10:22 To: AMPRNet working group 44net@mailman.ampr.org Subject: Re: [44net] VPNFilter Router Malware
I'm not at all sure that Shodan is blocked on amprgw. There are more than 2,000 IP addresses that are blocked, with more being added from time to time, plus there are a number of tcp and udp destination ports that are blocked from all IP addresses, but there's no way to be sure that these lists include all Shodan and other scanners.
I have found that most opt-out forms are a waste of time, if indeed they don't have the opposite effect of inviting additional scanning. - Brian
On Fri, May 25, 2018 at 09:38:07AM +0200, Rob Janssen wrote:
especially before Shodan was blocked on AMPR...
Has Shodan been blocked on amprgw or have they been convinced to stop scanning AMPRnet? There are still various agressive scanners active from internet, and I have some scripts to automatically add them to a blocklist but it still is an ever increasing load on the network.
For example, "stretchoid.com" is an agressive scanner that changes addresses all the time (but does keep reverse-DNS records on their virtual servers so easy to identify).
They do have an opt-out form but it is a NOP. (I have completed it 3 times at 1-month intervals but no reply and no effect on the scanning... maybe Brian should try it as he is listed in the whois as the owner of NET44)
Of course there are others, like security.ipip.net and binaryedge.ninja. Plus the many many other scanners, "researchers", etc.
Rob
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Thanks Ruben. I ran that and we already had something like 90% of those addresses in the blocking table. I added the rest. That may help a little. We'll have to run it periodically. - Brian
On Fri, May 25, 2018 at 08:31:55AM +0000, Ruben ON3RVH wrote:
Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check out https://isc.sans.edu/api/threatlist/shodan?json , they update that list daily The list is in json format, a simple script can translate that into a text file, like the below line -- curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"' --
Also check out https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/231... for some info on how to incorporate that into iptables. A simple script can also be made for mikrotik, or you can use a central BGP router on linux (like exabgp/quagga/frr/...) which sends those IP's to it's peers which can then blackhole that traffic from those IP's
73,
Ruben - ON3RVH
Very welcome I personally run it daily and output it to a text file on my website. I have several clients running pfSense with pfBlockerNG and those consult that URL daily and adds them to the blocklist on the firewall.
Also been thinking of implementing a botnet which outputs it's hits to an exaBGP instance which servers all the border routers I own and maintain and adds those to the nullroute tables. But that one is still in concept phase ;)
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Brian Kantor Sent: vrijdag 25 mei 2018 10:52 To: AMPRNet working group 44net@mailman.ampr.org Subject: Re: [44net] VPNFilter Router Malware
Thanks Ruben. I ran that and we already had something like 90% of those addresses in the blocking table. I added the rest. That may help a little. We'll have to run it periodically. - Brian
On Fri, May 25, 2018 at 08:31:55AM +0000, Ruben ON3RVH wrote:
Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check out https://isc.sans.edu/api/threatlist/shodan?json , they update that list daily The list is in json format, a simple script can translate that into a text file, like the below line -- curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"' --
Also check out https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/231... for some info on how to incorporate that into iptables. A simple script can also be made for mikrotik, or you can use a central BGP router on linux (like exabgp/quagga/frr/...) which sends those IP's to it's peers which can then blackhole that traffic from those IP's
73,
Ruben - ON3RVH
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hi,
Le 25/05/2018 à 10:31, Ruben ON3RVH a écrit :
Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check outhttps://isc.sans.edu/api/threatlist/shodan?json
Thank you, I didn't know that.
Is there any valuable reason not to block the whole ISC threatlist, instead of just shodan ? (https://isc.sans.edu/api/threatlist?json)
-- I'm also thinking about integrating a Snort IPS on our gateway, but I didn't find the right way to do that yet.
73 de TK1BI
Hmm did not know of that one, thanks for bringing that one up ;) I'll have a look at what's in that list and should probably block that too indeed
I've set up Snort on the pfSense firewall, it does IPS as well that way
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Toussaint OTTAVI Sent: vrijdag 25 mei 2018 12:42 To: 44net@mailman.ampr.org Subject: Re: [44net] VPNFilter Router Malware
Hi,
Le 25/05/2018 à 10:31, Ruben ON3RVH a écrit :
Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check outhttps://isc.sans.edu/api/threatlist/shodan?json
Thank you, I didn't know that.
Is there any valuable reason not to block the whole ISC threatlist, instead of just shodan ? (https://isc.sans.edu/api/threatlist?json)
-- I'm also thinking about integrating a Snort IPS on our gateway, but I didn't find the right way to do that yet.
73 de TK1BI
Le 25/05/2018 à 12:50, Ruben ON3RVH a écrit :
I've set up Snort on the pfSense firewall, it does IPS as well that way
I tried pfSense a while ago, but I didn't enjoy the UI ;-) I also tried Comodo, which has a better UI (to me !), but it's CentOS-based, and I don't know that OS at all. So, both are still in my "testing" list...
My "production" firewall is Shorewall, but there's no easy way to implement Snort directly on it. I'm also wondering if I should add IPS service (such as Snort) on existing machines (my BGP router, my main VPN gateway) or insert a dedicated machine between them.
-- Of course, it would be a great idea to share our tools and techniques for network protection. I have very tiny experience with machines connected directly to Internet. Our previous design was using private addressing, and was in a "DMZ" of my corporate firewall (with commercial IPS and anti-malware services inside). The new design uses BGP addressing and is splitted between two data centers (hosted by two different companies with different tools). So, in order to keep the whole infra hamradio-friendly and facilitate administration, we decided to bypass completely our two (different) corporate firewalls. So, we'll have to learn how to do by ourselves what was previously done by the corp firewalls. And it may not be an easy task...
73 de TK1BI
-
Brian Kantor -
Rob Janssen -
Ruben ON3RVH -
Toussaint OTTAVI