On 1/3/2019 3:06 PM, Jordan Geoghegan wrote:
Hello,
I wrote a small script called 'pf-badhost' to block shodan and other
annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html
to see the script.
pf-badhost also blocks ssh bruteforcers and other annoyances by loading
a list of regularly updated badhost lists from trusted sources. If you
only want to block shodan specifically, just comment out the few lines
that download the other blocklists, and you should be good to go. I've
had a number of people give good feedback on it, and they've reported it
blocking the scanners and baddies quite effectively; BSDNow also did a
piece about it, so it seems to work alright.
Cheers,
Jordan
On 01/02/19 22:15, Antonino Sidoti wrote:
Hi,
I wish to block all attempts by “shodan.io”. Basically I run an
OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of
traffic all stemming from “shodan.io". I have PF configured so I was
wondering how to block such a domain from making any attempts to
connect to my server. There is little information about Public IP
addresses being used by "shodan.io" scanner, so making an IP list for
PF may be futile.
Could someone suggest a possible option? I was thinking along the
lines of “relayd” or "squid proxy”. My server is hosted at Vultr and
has a single WAN interface with Public IP. There is no internal LAN
interface.
For those who do not know about “shodan.io”, please do a search and
you will discover what it does.
Regards
Nino
I've always been a fan of just setting up a simple script to open a
couple ports with ncat, then when a client connects to the port, it gets
shoved into pf table that has a `drop' rule attached to it. No messing
about with blocklists or proxies or anything else.
ncat listens on various low-number ports that nothing is using on my
servers. A little ncat, sed, pfctl, and a dash of cron are able to do
the job just fine. cron is just there to start the ncat processes at
boot and run an hourly script to do a pfctl -T expire <table> 86400 to
keep the table clean of old attackers.
Shodan isn't the only scanner out there, so there is no point in just
blocking it. And I figure if someone is trying to connect to unused
ports on my system, they probably aren't up to any good. If you aren't
aware that my machine isn't legitimately listening on 22 or 23, or 443,
I don't want to talk to you.
I usually just run on port 22 and move sshd to a different port, that
seems to stop >95% of attackers.
