Hello,
I wrote a small script called 'pf-badhost' to block shodan and other
annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html
to see the script.
pf-badhost also blocks ssh bruteforcers and other annoyances by loading
a list of regularly updated badhost lists from trusted sources. If you
only want to block shodan specifically, just comment out the few lines
that download the other blocklists, and you should be good to go. I've
had a number of people give good feedback on it, and they've reported it
blocking the scanners and baddies quite effectively; BSDNow also did a
piece about it, so it seems to work alright.
Cheers,
Jordan
On 01/02/19 22:15, Antonino Sidoti wrote:
Hi,
I wish to block all attempts by “shodan.io”. Basically I run an OpenBSD (6.4) mail server
using OpenSMTPD and notice quite bit of traffic all stemming from “shodan.io". I have PF
configured so I was wondering how to block such a domain from making any attempts to connect
to my server. There is little information about Public IP addresses being used by
"shodan.io" scanner, so making an IP list for PF may be futile.
Could someone suggest a possible option? I was thinking along the lines of “relayd”
or "squid proxy”. My server is hosted at Vultr and has a single WAN interface
with Public IP. There is no internal LAN interface.
For those who do not know about “shodan.io”, please do a search and you will
discover what it does.
Regards
Nino
