> A little ncat, sed, pfctl, and a dash of cron are able to do > the job just fine. cron is just there to start the ncat processes at > boot and run an hourly script to do a pfctl -T expire <table> 86400 to > keep the table clean of old attackers. Sounds good. Could you share your script here?
On Thu, 3 Jan 2019 15:20:44 -0800 Misc User <open...@leviathanresearch.net> wrote: > On 1/3/2019 3:06 PM, Jordan Geoghegan wrote: > > Hello, > > > > I wrote a small script called 'pf-badhost' to block shodan and other > > annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html > > to see the script. > > > > pf-badhost also blocks ssh bruteforcers and other annoyances by loading > > a list of regularly updated badhost lists from trusted sources. If you > > only want to block shodan specifically, just comment out the few lines > > that download the other blocklists, and you should be good to go. I've > > had a number of people give good feedback on it, and they've reported it > > blocking the scanners and baddies quite effectively; BSDNow also did a > > piece about it, so it seems to work alright. > > > > > > Cheers, > > > > Jordan > > > > > > On 01/02/19 22:15, Antonino Sidoti wrote: > >> Hi, > >> > >> I wish to block all attempts by "shodan.io". Basically I run an > >> OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of > >> traffic all stemming from "shodan.io". I have PF configured so I was > >> wondering how to block such a domain from making any attempts to > >> connect to my server. There is little information about Public IP > >> addresses being used by "shodan.io" scanner, so making an IP list for > >> PF may be futile. > >> > >> Could someone suggest a possible option? I was thinking along the > >> lines of "relayd" or "squid proxy". My server is hosted at Vultr and > >> has a single WAN interface with Public IP. There is no internal LAN > >> interface. > >> > >> For those who do not know about "shodan.io", please do a search and > >> you will discover what it does. > >> > >> Regards > >> > >> Nino > >> > > > > > I've always been a fan of just setting up a simple script to open a > couple ports with ncat, then when a client connects to the port, it gets > shoved into pf table that has a `drop' rule attached to it. No messing > about with blocklists or proxies or anything else. > > ncat listens on various low-number ports that nothing is using on my > servers. A little ncat, sed, pfctl, and a dash of cron are able to do > the job just fine. cron is just there to start the ncat processes at > boot and run an hourly script to do a pfctl -T expire <table> 86400 to > keep the table clean of old attackers. > > Shodan isn't the only scanner out there, so there is no point in just > blocking it. And I figure if someone is trying to connect to unused > ports on my system, they probably aren't up to any good. If you aren't > aware that my machine isn't legitimately listening on 22 or 23, or 443, > I don't want to talk to you. > > I usually just run on port 22 and move sshd to a different port, that > seems to stop >95% of attackers. > > -- radek