Blocking "shodan.io" - What are my options?

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Blocking "shodan.io" - What are my options?

Stuart Henderson
On 2019-01-10, Aaron Mason <[hidden email]> wrote:

> On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[hidden email]> wrote:
>>
>> On 2019-01-09, Aaron Mason <[hidden email]> wrote:
>> > Hi Jordan
>> >
>> > I've set it up to try it, but I'm not having much luck.  Even when I
>> > trigger more than one, it still doesn't populate the bad_hosts table,
>> > even again when I extend the rate period to 86400 seconds.  I've added
>> > logging so I know the rule is triggering.  See below.
>>
>> max-src-conn-rate is only triggered when a TCP connection is
>> established, you need to have something listening (and it will only
>> trigger on the *second* connection).
>>
> I knew it wouldn't trigger on the first attempt, but I had a sneaking
> suspicion that you'd need something to listen on that port.  Is there
> a way to achieve what we seek, in that case, without userland tools?

No.

But you could probably manage it with just one listening port to cover
all the ones you're interested in (via rdr-to).

Reply | Threaded
Open this post in threaded view
|

Re: Blocking "shodan.io" - What are my options?

Edgar Pettijohn III-2
In reply to this post by Aaron Mason
On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:

> I knew it wouldn't trigger on the first attempt, but I had a sneaking
> suspicion that you'd need something to listen on that port.  Is there
> a way to achieve what we seek, in that case, without userland tools?
>
> On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[hidden email]> wrote:
> >
> > On 2019-01-09, Aaron Mason <[hidden email]> wrote:
> > > Hi Jordan
> > >
> > > I've set it up to try it, but I'm not having much luck.  Even when I
> > > trigger more than one, it still doesn't populate the bad_hosts table,
> > > even again when I extend the rate period to 86400 seconds.  I've added
> > > logging so I know the rule is triggering.  See below.
> >
> > max-src-conn-rate is only triggered when a TCP connection is
> > established, you need to have something listening (and it will only
> > trigger on the *second* connection).
> >
> >
>
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse
>

I wrote a little daemon to do what we're looking for. It listens on
specified ports, accepts the connection and executes a script so you can
either use something like logger or pfctl, etc to do what you want with
the address it connected from. If anyone wants to play with it let me
know and I'll send you the tarball.

Edgar

Reply | Threaded
Open this post in threaded view
|

Re: Blocking "shodan.io" - What are my options?

Radek
Hi,

I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further...

On Sun, 13 Jan 2019 12:43:15 -0600
[hidden email] wrote:

> On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > suspicion that you'd need something to listen on that port.  Is there
> > a way to achieve what we seek, in that case, without userland tools?
> >
> > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[hidden email]> wrote:
> > >
> > > On 2019-01-09, Aaron Mason <[hidden email]> wrote:
> > > > Hi Jordan
> > > >
> > > > I've set it up to try it, but I'm not having much luck.  Even when I
> > > > trigger more than one, it still doesn't populate the bad_hosts table,
> > > > even again when I extend the rate period to 86400 seconds.  I've added
> > > > logging so I know the rule is triggering.  See below.
> > >
> > > max-src-conn-rate is only triggered when a TCP connection is
> > > established, you need to have something listening (and it will only
> > > trigger on the *second* connection).
> > >
> > >
> >
> >
> > --
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
> >
>
> I wrote a little daemon to do what we're looking for. It listens on
> specified ports, accepts the connection and executes a script so you can
> either use something like logger or pfctl, etc to do what you want with
> the address it connected from. If anyone wants to play with it let me
> know and I'll send you the tarball.
>
> Edgar
>


--
radek

Reply | Threaded
Open this post in threaded view
|

Re: Blocking "shodan.io" - What are my options?

Edgar Pettijohn III-2
On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote:

> Hi,
>
> I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further...
>
> On Sun, 13 Jan 2019 12:43:15 -0600
> [hidden email] wrote:
>
> > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > > suspicion that you'd need something to listen on that port.  Is there
> > > a way to achieve what we seek, in that case, without userland tools?
> > >
> > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[hidden email]> wrote:
> > > >
> > > > On 2019-01-09, Aaron Mason <[hidden email]> wrote:
> > > > > Hi Jordan
> > > > >
> > > > > I've set it up to try it, but I'm not having much luck.  Even when I
> > > > > trigger more than one, it still doesn't populate the bad_hosts table,
> > > > > even again when I extend the rate period to 86400 seconds.  I've added
> > > > > logging so I know the rule is triggering.  See below.
> > > >
> > > > max-src-conn-rate is only triggered when a TCP connection is
> > > > established, you need to have something listening (and it will only
> > > > trigger on the *second* connection).
> > > >
> > > >
> > >
> > >
> > > --
> > > Aaron Mason - Programmer, open source addict
> > > I've taken my software vows - for beta or for worse
> > >
> >
> > I wrote a little daemon to do what we're looking for. It listens on
> > specified ports, accepts the connection and executes a script so you can
> > either use something like logger or pfctl, etc to do what you want with
> > the address it connected from. If anyone wants to play with it let me
> > know and I'll send you the tarball.
> >
> > Edgar
> >
>
>
> --
> radek

It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz

The manual isn't quite complete. The supplied script could really use
some help as well as an rc script. The makefile is also cobbled
together. It is pledged and unveiled. I think it can have a few of the
pledges removed, but I haven't gotten that far. I think it is unveiled
correctly, but this was my first time playing with it.

The only requirement is libevent2 to aid in portability, which was the
driving force behind executing a script so that it could tie into
whatever packet filter is in use. Any constructive suggestions and
patches are more than welcome.

Enjoy.

Edgar

Reply | Threaded
Open this post in threaded view
|

Re: Blocking "shodan.io" - What are my options?

Edgar Pettijohn III-2
On Sun, Jan 13, 2019 at 01:39:13PM -0600, [hidden email] wrote:
> On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote:
> > Hi,
> >
> > I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further...

Just curious if anyone has tried it out. I've been running it for about
48 hours now and it doesn't appear to be having any issues. Plus my pf
table is growing.

$ doas pfctl -t badguys -T show | wc -l
     697

I have it running on about 10 ports. Obviously the majority of the scans
are on 22, but I was surprised to see so many on 23.

$ egrep "23$" /var/log/messages | wc -l
     247

Edgar

> >
> > On Sun, 13 Jan 2019 12:43:15 -0600
> > [hidden email] wrote:
> >
> > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > > > suspicion that you'd need something to listen on that port.  Is there
> > > > a way to achieve what we seek, in that case, without userland tools?
> > > >
> > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[hidden email]> wrote:
> > > > >
> > > > > On 2019-01-09, Aaron Mason <[hidden email]> wrote:
> > > > > > Hi Jordan
> > > > > >
> > > > > > I've set it up to try it, but I'm not having much luck.  Even when I
> > > > > > trigger more than one, it still doesn't populate the bad_hosts table,
> > > > > > even again when I extend the rate period to 86400 seconds.  I've added
> > > > > > logging so I know the rule is triggering.  See below.
> > > > >
> > > > > max-src-conn-rate is only triggered when a TCP connection is
> > > > > established, you need to have something listening (and it will only
> > > > > trigger on the *second* connection).
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Aaron Mason - Programmer, open source addict
> > > > I've taken my software vows - for beta or for worse
> > > >
> > >
> > > I wrote a little daemon to do what we're looking for. It listens on
> > > specified ports, accepts the connection and executes a script so you can
> > > either use something like logger or pfctl, etc to do what you want with
> > > the address it connected from. If anyone wants to play with it let me
> > > know and I'll send you the tarball.
> > >
> > > Edgar
> > >
> >
> >
> > --
> > radek
>
> It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz
>
> The manual isn't quite complete. The supplied script could really use
> some help as well as an rc script. The makefile is also cobbled
> together. It is pledged and unveiled. I think it can have a few of the
> pledges removed, but I haven't gotten that far. I think it is unveiled
> correctly, but this was my first time playing with it.
>
> The only requirement is libevent2 to aid in portability, which was the
> driving force behind executing a script so that it could tie into
> whatever packet filter is in use. Any constructive suggestions and
> patches are more than welcome.
>
> Enjoy.
>
> Edgar
>

Reply | Threaded
Open this post in threaded view
|

Re: Blocking "shodan.io" - What are my options?

Radek
Sorry, I haven't tried it yet. I'll do it ASAP.

On Tue, 15 Jan 2019 21:05:32 -0600
[hidden email] wrote:

> On Sun, Jan 13, 2019 at 01:39:13PM -0600, [hidden email] wrote:
> > On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote:
> > > Hi,
> > >
> > > I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further...
>
> Just curious if anyone has tried it out. I've been running it for about
> 48 hours now and it doesn't appear to be having any issues. Plus my pf
> table is growing.
>
> $ doas pfctl -t badguys -T show | wc -l
>      697
>
> I have it running on about 10 ports. Obviously the majority of the scans
> are on 22, but I was surprised to see so many on 23.
>
> $ egrep "23$" /var/log/messages | wc -l
>      247
>
> Edgar
>
> > >
> > > On Sun, 13 Jan 2019 12:43:15 -0600
> > > [hidden email] wrote:
> > >
> > > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > > > > suspicion that you'd need something to listen on that port.  Is there
> > > > > a way to achieve what we seek, in that case, without userland tools?
> > > > >
> > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <[hidden email]> wrote:
> > > > > >
> > > > > > On 2019-01-09, Aaron Mason <[hidden email]> wrote:
> > > > > > > Hi Jordan
> > > > > > >
> > > > > > > I've set it up to try it, but I'm not having much luck.  Even when I
> > > > > > > trigger more than one, it still doesn't populate the bad_hosts table,
> > > > > > > even again when I extend the rate period to 86400 seconds.  I've added
> > > > > > > logging so I know the rule is triggering.  See below.
> > > > > >
> > > > > > max-src-conn-rate is only triggered when a TCP connection is
> > > > > > established, you need to have something listening (and it will only
> > > > > > trigger on the *second* connection).
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Aaron Mason - Programmer, open source addict
> > > > > I've taken my software vows - for beta or for worse
> > > > >
> > > >
> > > > I wrote a little daemon to do what we're looking for. It listens on
> > > > specified ports, accepts the connection and executes a script so you can
> > > > either use something like logger or pfctl, etc to do what you want with
> > > > the address it connected from. If anyone wants to play with it let me
> > > > know and I'll send you the tarball.
> > > >
> > > > Edgar
> > > >
> > >
> > >
> > > --
> > > radek
> >
> > It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz
> >
> > The manual isn't quite complete. The supplied script could really use
> > some help as well as an rc script. The makefile is also cobbled
> > together. It is pledged and unveiled. I think it can have a few of the
> > pledges removed, but I haven't gotten that far. I think it is unveiled
> > correctly, but this was my first time playing with it.
> >
> > The only requirement is libevent2 to aid in portability, which was the
> > driving force behind executing a script so that it could tie into
> > whatever packet filter is in use. Any constructive suggestions and
> > patches are more than welcome.
> >
> > Enjoy.
> >
> > Edgar
> >


--
radek

12