I self-host a (non-critical) mail server and a few other things and occasionally look at live firewall logs, seeing the constant flow of illegitimate traffic hitting random ports all over the place, some hitting legitimate service ports but others just probing basically anything and everything. I decided to setup a series of scripts that detect activity on ports that aren't open (and therefore there's no legitimate reason for the traffic to exist) and block those IP addresses from the service ports since the traffic source isn't to be trusted.
Something that came out of analysis of the blocked IP addresses was that I discovered a few untrustworthy /24 networks belonging to a bunch of "internet security companies" whose core business seems to depend on flooding the entire IPv4 space with daily scans. Blocking these Internet scanner networks significantly reduced the uninvited activity on my open service ports. And by significantly I mean easily over 50% of unwanted traffic is blocked.
Network lists and various scripts to achieve my setup can be found here: https://github.com/UninvitedActivity/UninvitedActivity
Internet Scanner lists are here: https://github.com/UninvitedActivity/UninvitedActivity/tree/...
Large networks that seem responsible for more than their fair share of uninvited activity are listed here: https://github.com/UninvitedActivity/UninvitedActivity/tree/...
I'm semi-aware of the futility of blocking IP addresses and networks. I do believe, however, that it can significantly reduce the load on the next layers of security that require computation for pattern matching etc.
Be aware: there are footguns to be found here.
One thing I do is I blocklist entire countries' and regional ISP' CIDR blocks. Believe it or not: straight to firewall DROP.
China, North Korea, so many african countries who's only traffic is from scammers, tiny islands in the pacific that are used for nothing but scamming...
Straight to DROP.
And I do not care about the whining.
Had a travel insurance do this and when I was in hospital in Asia I couldn't start a claim and the hospital nearly kicked me out. I'm sure the sysadmins thought it was a great way to reduce hacking attempts by blocking Asia.
That's so remarkably stupid for travel insurance, it's unbelievable.
I wrote a cynical take on "how it happened" at the time: https://joshua.hu/losing-sight-vision-mission-of-your-role
I think it comes from the divorce of what people are hired to do versus what their work actually contributes to. I also remember the countless cloudflare turnstiles that I've had to get through one way or another on airlines' websites which reset every minute (looking at you, airserbia, for being the worst).
If there’s one single business that I might expect to honor traffic from foreign countries, it would be the travel industry. I can suddenly envision using a VPN to route through Asia and check a travel agent’s site access before purchasing.
Why couldn't they fix this with a phone call? So much suckage.
Mental note 1: Verify whether I can file a claim over the phone before I give a travel insurance company my money.
Mental note 2: Don't travel without being able to VPN through a U.S. endpoint. Preferably something sitting in my house.
Mental note 3: Verify you can call international numbers?
GP said he does "not care about the whining".
Ironic that GP commenter said "I do not care about the whining" about regional IP blocks and the first reply is just someone whining about it.
That’s awful but why is the onus on random sys admins around the world to deal with this correctly and not the government hosting the problem entities?
I would say because it’s their job to serve their customers, even if they’re abroad? Especially for a travel insurance company.
You don't think a travel agency selling policies covering china should have their sysadmins ensure that their customers can actually make use of those policies? They can always explicitly exclude china if they don't want to deal with this but then they wouldn't have gotten GP's money.
It's not a random sysadmin. It's a sysadmin of a travel insurance company.
if the government in question is supportive of said problem entities, they won't "deal" with it
If the government in question has free reign on regulating said traffic, it's an avenue for repressions and censorship
Otherwise it's a legal matter to seek action against such entities, which is already how it works
(... but I'm afraid we're actually mostly talking about "scenario 1 entities" here, which makes it futile to seek action from the very offices that already play a role in making it harder to use existing legal means)
And it’s not like we will invade countries to stop spam calls, although China is probably the closest to getting to that stage given that the scam centers in Myanmar seem to be a deciding factor in who they throw their support behind: https://www.theguardian.com/world/2024/jan/31/myanmar-hands-...
Government needs lobbying to act
That's like asking why don't we expect burglars to not burgle, they won't, but that doesn't mean walling off a whole neighborhood is the solution either.
You haven't seen new construction in many upper end places then... High exterior walls and gated entry. Not that it adds much practically.
As a Russian, I hate it when people do this. It's extremely annoying when you just click some random interesting-looking link from HN or Reddit or Twitter only to be greeted by a 403 or a connection timeout. Then you turn your VPN on, and magically, it loads just fine.
For many services, the expected value of letting people from Russia access their service is negative. The reality is that Russia contributes a large portion of hacking attempts while providing very little to no revenue for the service. At the end of the day it is just business, and sometimes letting countries access your service is bad for the bottom line.
I think you and the person above you can both have valid concerns at the same time. If someone said "~50% of theft is from <insert minority group> while they only account for 5% of my business, so I'm not going to let them in the door", assuming the absence of social and legal consequences which would realistically occur, it could be argued that it's the right move for their "bottom line" or whatever. Does that mean it's right, or good, or equitable?
Of course at the same time, if you hold yourself to a much higher standard than what's socially or legally acceptable, there's the inevitable fact that your competitors aren't. So it's a fine balance.
If <minority group> is covered by the same jurisdiction as <business>, then it's not close to a 1:1 comparison.
It's perfectly reasonable to not do business with people in countries that support piracy. And I'm referring to the Arrg/EyePatch type and the Buh/KeyboardWarrior type. In the end, it's a choice. If you don't have a legal means to deal with illicit activity, and blocking mostly works, there you go.
Your country is a bad global citizen. If they started taking action against the groups trying to break into my systems every minute of every day then I wouldn't need to block the entire jurisdiction.
Geoblocking all sanctioned countries was the best thing I ever did
Your annoyance is a feature, not a bug. You are supposed to get annoyed enough as a group to lobby your government to fight the internal problem
You're very naive to assume that this government takes any feedback.
I'll just leave this thread here: https://twitter.com/IrineKuklina/status/1578339408801304580
I am powerless to prevent even my local county from voting to steal my income to fund nonsense welfare, so I can only imagine how much less hope you have for political change and in your ability to meaningfully enact any.
Good luck, and I hope you stay out of harm's way.
How do you think any political change was ever achieved then?
Anyone can attempt political change, but it all comes down to EV.
I live in the US. I can openly speak my mind with relative safety. And I mean relative. My physical safety will likely not be risked, nor the physical safety of my family. But we are very much at a stage where any dissent is accompanied by internet mobs and unemployment.
Do I think that I can convince > 50% of voters in my county to rescind a 1% tax on my household income over $200k? Unlikely. Near zero probability. And my guess is that that probability is certainly less than the probability I am called a racist, transphobe, white supremacist. And that may reduce my income to $0. The EV play doesn't make sense when I have children to raise.
I imagine the above weighted by an openly corrupt gov willing to imprision and kill further diminishes the EV for an individual.
[flagged]
Page doesn't exist?
Sorry, can't access, I'm from sanctioned country
They would take feedback the same way Napoleon did.
you are naive to think whether your government takes feedback is relevant or not (or that I was specifically talking about Russia, That is just one of many countries with shitty internet crime prevention that are routinely blocked and each of those shite countries have varying levels of shite leadership with varying levels of responsiveness).
oh but it does, you can submit it directly to Roskomnadzor so it can cooperate with said hackers and then GRU might even hire them directly /s
Ah, yes, the remaining English speakers in Russia will overthrow the literal millions of the silovik class whose entire job is to repress (with violence) any independent political activity. There is no "lobbying" in Russia, if you didn't know.
If you hate all Russians just say you hate all Russians. No need for this "lobby your government" euphemistic BS.
We in the west can't change your government to ban hacking requests.
We can block whole countries and make a practical reduction in hacks. Sorry that you got caught in the middle and feel you have no options.
Maybe someone who does have options and makes their money from non-hacking will be inconvenienced and ask for change instead.
So political change in russia is literally impossible and everything will be exactly the same 50 years from now?
Obviously not. Is such change easy? Again, obviously not, but the only way countries change is their own citizens wanting to make the change.
>So political change in russia is literally impossible
Precisely. It's basically impossible. There has to be at least be a generational change, or a severe economic / military loss if we are talking about this decade, but even that isn't a guarantee since the system is perpetuating itself with force, with economic self-interest to continue doing so. Isolating Russian citizens from western sources of information (in addition to what the Russian government is already doing by itself) is not only not helping, it's counterproductive, since rejection engenders a rejection in return, lowering the probability that an inflection point in the Russian history would result in anything western.
>countries change
Authoritarian countries change when their enforcement class relaxes and loses control. It takes decades for it to occur. If there is no relaxation, then no change occurs, as demonstrated by numerous countries, not only Russia. Right now the control and propaganda are very tight. "Wanting to make change" publicly is literally a life-threatening activity.
Oh we do want to make this change. Desperately. The only minor issue with that is that we lack any means to do so. I'll be sure to do my part as soon as the window of opportunity opens.
It's probably risky, but absolutely there's a means to do so.
Be the change you want to see in the world. Change happens slowly at first, and then all at once.
Sure hope your govt is not monitoring your posts
The idea that Westerners might "hate" Russians (the people -- not the dictators and their regimes' activities) always seemed so silly to me that I assumed the majority of the related propaganda would be laughed off.
In my experience, the worst general case you have from Americans is absolute "other side of the planet" indifference. Hence the apathetic practice of blocking Russian-originating IP traffic... This may be arguably worse than hate.
A slightly better case, I think, is a healthy segment of the American populace thinks Russians are like the FPSRussia YouTube channel from a few years ago. (Disclaimer: Not sure what the status of that channel is now. Plus, I always figured he was geographically in the southern USA.)
people here are not thinking in whole systems-- roads have dual purpose.. there is security AND there is trade .. a world without trade is a poor world.. that includes the intellectual arts, civilian institutions cooperating, common issues like Climate.
The voices here that say "I block everyone, don't bother me with your whining" .. it is a security practice.. OK. security is not the whole story of civilizations; obstinate thinking leads to ignorance, not evolution.
The topic is SSH, an administrative and secured access. Yes security applies. to be on-topic
Of course one can obfuscate and secure their own SSH access as much or as little as they want. Run sshd on a different port, require port knocking, ban IPs after failed login attempts, all that kind of stuff.
I'm, however, specifically talking about public-facing services like HTTP(S), which also get blocked with this "I'll just indiscriminately blacklist IPs belonging to countries I don't like" approach.
Malicious traffic is not limited to ssh and comes from the same usual suspects. Automated attacks against web applications is constant. I wouldn't say it's indiscriminate, it's practical.
There are bad people on both side of the border - don't be fooled that they are more on the "other" side of the border because there might be ones that you are not seeing (yet). Blocking the whole "other side" is simply the "path of least resistance" or the "low hanging fruit". Creation and all other good things ALWAYS require more energy than destruction and other bad things. But creation/invention is the only activity that leads to progress and evolution - everything else is stalling, regression, devolution ... Internet was created BY military FOR military - but it evolved into THE only thing in the world that connects people. ALL people. References at the bottom.
The most general problem in Internet are not the malicious people - botnets can infect insecure devices ANYWHERE in the world. The main problem is that some (many) of the ISPs at the last mile allow outgoing IP packets with source IP address which is outside of the IP range(s) these ISPs operate/own. Larger ISPs on the upper layer can not prevent this because otherwise IP routing will break. So it all depends on the "last mile" ISPs. And it is quite possible for the "status quo" to live for many years ....
https://www.internetsociety.org/resources/2022/impact-of-ukr... https://labs.ripe.net/author/athina/how-sanctions-affect-the... https://labs.ripe.net/author/farzaneh-badiei/sanctions-and-t... https://www.sciencedirect.com/science/article/pii/S030859612... https://labs.ripe.net/author/moritz_muller/internet-sanction...
Yeah exactly, try running an esp VPN on a different port and see how well that works.
Had a reddit clone. The amount of Russian spam coming in was nuts.
Blocking the ru language blocked all spam. And since it didn't have Russian users, it was an easy choice to make.
I think it’s harmless though if say it’s a business site or mail site that is only meant to do business with a subset of people, like a country or region. That said, I think it’s of highly limited value though because any hacker above Lvl 1 will know how to use a bot, remote box, or VPN from a more local IP.
> It's extremely annoying
Now imagine how annoying is russian traffic to world's sysadmins. Then could you please point your finger to who's more wrong here: your government or sysadmins of the world?
I assume you don’t host anything that could be useful to the 1.5 to 2 billion people that you’re blocking.
Or they host a business site that doesn't do business in those countries and so nothing of value is lost to them. For example, it's literally illegal for me to accept payments from .ru, so why bother wasting their time and my bandwidth?
I live in EU,and a bunch of american sites just block the whole EU due to GDPR laws.
Then someone in US uses my email by accident to subscribe to some newsletter (not the first time, I also get personal emails for that person, since it's just one letter difference, and i'm guessing it's someone old, considering the emails I get), i try to click "unsubscribe", and it just redirects me to "<site> is unavailable in EU, blah blah" page, without unsubscribing.
I make sure to report that site to every goddamn spam list possible.
IMO replying unsubscribe should always work for marketing emails and if it doesn’t then I flag the email as spam. Nope, I’m not going to visit that tracked / info gathering unsubscribe link.
I only use unsubscribe links from things I voluntarily and willingly subscribed to.
If I was involuntarily subscribed to something, or subscribed because of an inconspicuous "subscribe me" checkbox that I probably didn't notice, including from a legit business that I purchased an item, it's getting reported as spam in Gmail.
This is the right approach. Usually I also avoid any future business with a company that starts spamming me.
> a bunch of american sites just block the whole EU due to GDPR laws.
Which is incredibly reasonable. If the EU didn't try to claim EU law applies globally, those sites might still be up.
The US is just as bad at extraterritorial law, see FATCA for just one example.
https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance...
That situation is quite different. The US is using its significant power and weight to coerce those non-US banks into compliance with FACTA. Those banks don't have to comply, but they want to do business with the US and US companies, then they don't have much of a choice.
It's not like they just made a law and now insisted it applies globally, which is what the EU did.
https://en.wikipedia.org/wiki/CLOUD_Act strikes me an example
> If the EU didn't try to claim EU law applies globally, those sites might still be up.
It doesn't; it applies to EU residents. Your non-EU business is free to do whatever it wants, but as soon as you do business with EU residents EU law applies.
This is more or less how it works everywhere (with some exceptions).
And deciding not to do business with EU residents (i.e. block in EU) is of course perfectly valid and reasonable choice. But not because "EU laws apply globally".
> It doesn't; it applies to EU residents. Your non-EU business is free to do whatever it wants, but as soon as you do business with EU residents EU law applies.
See, you say it only applies to EU residents, but that isn't the case.
The real issue is where you say but as soon as you do business with EU residents EU law applies., and, well, that's just nonsense.
I have a US site. I can operate my business any way I like as long as I don't break any Federal or State laws, and I can break every single EU law that doesn't have an equivalent US law.
The EU can't touch me. EU law doesn't apply to me, even if I advertise the hell out of my site to try and attract as many EU citizens as possible.
All the Eu can do is firewall me off, prosecute me if I come to the Eu and police or punish its citizens.
> This is more or less how it works everywhere (with some exceptions).
It's really not. The EUs claim of global jurisdiction is unique and a first. There may have been loosely similar things, but nothing quite like this.
> But not because "EU laws apply globally".
You should inform the EU they should correct their legislation then.
Sure, but if some Little Whinging news from North Arizona (fictional newssite) starts spamming me, because some grandma there can't remember his email address, and won't let me unsubscribe, I'll do everything I can do within my five minutes of anger to make them rethink.
Consider reporting it to the host, ISP and/or FTC next time - GDPR "compliance" doesn't let US businesses ignore the CAN SPAM act.
https://consumer.ftc.gov/articles/how-get-less-spam-your-ema...
What? No
Claiming jurisdiction by server location is the stupidest thing ever if you trying to have any kind of customer protection laws. You have to go by customer location.
However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
If a European travels to grocery store in Nevada, assuming they'd be protected by EU laws is a bit goofy.
If they travel to my US server digitally and want my data back, I shouldn't have to know EU laws. They came to me.
I guess you could argue that if I'm then willing to send them data, then I need to play the game. Like a Nevada store that ships to France.
> However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
The GDPR makes no jurisdictional claims at all based on citizenship, despite a lot of inaccurate summaries saying otherwise. For those cases where the GDPR cares about individuals being EU or non-EU, it only cares about their location, not about their citizenship / nationality or their residence.
> Claiming jurisdiction by server location is the stupidest thing ever if you trying to have any kind of customer protection laws. You have to go by customer location.
I disagree, because that's impossible. That's why the EU's attempt is largely a joke. Literally - it seems to get mocked a lot when I tried reading up on the credibility and practicality of what they claim.
> However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
It's the claim that they have jurisdiction over non-EU citizens and businesses in their own countries which is so laughable.
Same here. I country-block I think 4 countries and my "not-me" ssh login attempts dropped 90+%. As I run funzies sites, I couldn't care less about the reduced legit traffic.
I'd do this too except by far the most scam traffic I see are US in origin. I'm in the EU.
> so many african countries who's only traffic is from scammers
Which countries specifically? Asking from Africa, and not sure I've encountered this.
Personal page.. sure.
Business? You're a pain to many people and don't care.
I live in EU and many US pages just block the whole EU due to GDPR laws... then someone (by mistake) subscribes me to their newsletter, and the "unsubscribe" links leads to "this page is unavalable in EU"? I'll goddamn make sure your domain ends up on every goddamn possible antispam filter I can find.
That's often worth an FTC complaint for a CAN-SPAM Act violation: https://www.ftc.gov/business-guidance/resources/can-spam-act...
The FTC wouldn't accept "we didn't want to deal with GDPR" as an excuse for a business violating that law.
Why? Are they spam pages?
For me? Sure. I never subscribed to them. Ans the unsubscribe links doesn't work, probably illegal, although not sure if they can spam an EU citizen from usa, and which/whose/what law are they breaking.
> I'll goddamn make sure your domain ends up on every goddamn possible antispam filter I can find.
Honestly, individuals can't really do much to change the reputation of a domain.
Maybe petition your representative to adjust the GDPR so they don't claim it applies globally?
> Honestly, individuals can't really do much to change the reputation of a domain.
Your hosting provider and ISP will see this differently. So will the FTC.
> Maybe petition your representative to adjust the GDPR so they don't claim it applies globally?
Your butthurt about the GDPR doesn't absolve you from your obligations under the CAN SPAM act.
> Your hosting provider and ISP will see this differently. So will the FTC.
No. They absolutely won't. Not if I'm not breaking any US laws. The EU bitching would have as much impact as a government official from say Narau doing the same. None.
> Your butthurt about the GDPR doesn't absolve you from your obligations under the CAN SPAM act.
No. You are misunderstanding and conflating things. My point is I can do whatever I want so long as I am in compliance with US law including CAN-SPAM, and even if I violate GDPR as much as I want (again, as long as it doesn't violate US law).
It's a greyzone situation, but if you started sending (for me) spam emails to me, and your unsubscribe link doesn't work, because you decided to block the whole eu from all of your services, including the unsubscribe feature, you probably are breaking the US spam laws too.
I agree that's likely. Then I guess it would matter what recourse the EU citizen would have. They would have to file suit in the US I would think.
That's very computationally inefficient.
> That's very computationally inefficient.
It's O(1) with iptables/nftables ipsets. Moreover as I blocklist entire CIDR blocks, there aren't that many entries in those ipsets.
You can trivially maintain a list of the size of the whole ipv4 space by using bitmaps
[flagged]
Just the best.
The Biden administration needs to explain why they allow ISPs to import data from these countries.
I'm not sure I understand what you're suggesting. Are you saying that the US govt should make it illegal for people in its borders to communicate with people in those countries?
[dead]
> and block those IP addresses from the service ports since the traffic source isn't to be trusted
Don't get me wrong, I want to do the same, I run a lot of servers and see all the automated nonsense aimed at public servers. However, you should consider the fact that today blocking an IP is akin to blocking a street, a village or sometimes even a town. For ~better or~ worse we now live in the age of CGNAT.
If your threat model and use case means you only care about a known subset of users with static IPs who are lucky enough to not share IPs then fair enough; but if you are running services intended for wide spread consumption you are likely blocking legitimate users without even knowing it.
I have thought about that and, as you say, my use-case is entirely "hobby" so there's nothing I host that's of much interest to others (if things break, which they have, it inconveniences me rather than other people).
Having said that, the websites I host are behind Cloudflare and so port 443 allows Cloudflare's ASN, but blocks everything else. This way, any of the IP addresses that are blocked from direct access to port 443 can still access the websites, just through Cloudflare's added layer of protection.
Try running some of your blocked ips through greynoise, they usually have some interesting information about them
Thanks for the tip. Looks like greynoise use ipinfo.io for IP metadata.
I use https://www.abuseipdb.com/ for any manual IP address checks, and https://hackertarget.com/as-ip-lookup/ for finding what ASN an IP address (range) is a member of. I'll check out greynoise and see what extra info may be provided.
I (DevRel of IPinfo) run Fail2Ban on a VM as well. Protip use the CLI.
- The CLI has the `grepip` command that extracts all the IP addresses from a text. You do not have to parse your logs.
- Analyze your data. After you have extracted your IP addresses from your logs, pipe them to the `summarize`, `map`, and `bulk` commands on the CLI.
- If you are doing bulk enrichment with the `bulk` command, you can use some kind of CSV query tool like CSVtoolkit, DuckDB, or Python-Pandas.
- Look into the ASN data. ASN data is always going to be the more interesting IP metadata for honeypots IPs. Summarize the IP addresses with the `summarize` command; it will give you a high-level report. If you want a web-shareable report, make a POST call to that endpoint. Docs: https://ipinfo.io/tools/summarize-ips
https://github.com/ipinfo/cli
You can always send your logs to me and ask what I think of them, and if I can find common patterns based on IP metadata. I am running our API and database services 24/7 and enjoy looking at logs. I can suggest firewall configurations based on country and ASN information provided by our free data.
Good idea. What I do is, I disallowed password login in my ssh server, and I permanently ban whichever address that tries to log in using a password.
I use a bastion host on a VPS as the only source IP address allowed to ssh into my systems, so any attempts to connect to ssh (from any IP address other than the bastion) are both blocked and logged into "the list" to be blocked from connecting to any other service ports.
I did this but added an "escape hatch" that allowed password logins from the local network only.
Just be aware that with your strategy “blocking 50% of unwanted traffic” means blocking non-attack traffic, as these Internet security companies are mostly legitimate. The automated attack traffic that you actually want to block is in the other half and will frequently change IPs.
> these Internet security companies are mostly legitimate
This is both subjective and highly dependent upon the scope of services being run. My setup would probably progressively create more hassle than it saves as on a scale from small business to large business. For the setup I have, I quite specifically want to block their traffic.
I'm possibly overly militant about this, but they keep databases of the results of their scans, and their business is selling this information to ... whoever's buying. I don't want my IP addresses, open ports, services or any other details they're able to gather to be in these databases over which I have no control and didn't authorise.
To steal an oft-used analogy, they're taking snapshots of all the houses on all the streets and identifying the doors, windows, gates, and having a peek inside, and recording all the results in a database.
I believe all of them are illegitimate. They 'do' because they can, and it's profitable. "Making the internet safer" is not their raison d'être.
Happy for any else to form their own opinion, but this is my current stance.
Yes - Anyone who's FAQ answer to "How to avoid being scanned" is "We don't have an opt-out, you must block all these addresses" isn't behaving like a legit business.
"Nice network you've got there."
"We noticed something might be open. We're not telling you what it is."
"It would be a pity if something happened to your business."
"Give us lots of money."
Sounds like a movie strong-arm thug.
Would be cool to have a "don't scan me bro" list of IP's that engage in this that we could share - is there such a thing?
The problem is that becomes a concentrator of IPs behind which privacy conscious individuals exist, which probably has higher value to "whoever's buying". It's a conundrum.
It sounds like what GP is suggesting is to collect ips of all the scanners, and share the list of ips among ourselves, so we can collectively route their traffic to /dev/null.
aaaaah, that makes sense. See the links in my original post.
Why not also sell the scans of scanners to the scanners customers and make a little pocket change?
There's a comment downthread discussing something similar; I haven't tried it though: https://news.ycombinator.com/item?id=40695179
You're being sarcastic, right? We did this for telephone numbers and saw how it turned out...
> these Internet security companies are mostly legitimate
Act like a bot, get treated like a bot.
> Just be aware that with your strategy “blocking 50% of unwanted traffic” means blocking non-attack traffic
You don't block them forever, just enough for them to move on to someone else.
they dont move on to someone else, they scan entire internet on a regular basis, just like gogle crawls web pages
My experience is that after blocking Censys, unwanted traffic on non-standard ports from other IP blocks has basically gone to zero. It appears to me that some bad actors are using Censys scans for targeting.
i get similar results
> (...) as these Internet security companies are mostly legitimate.
Note that you're basing your assertion on the motivation of random third parties exclusively on the fact that they exist and they are behind active searches for vulnerabilities.
Lol legitimate. As legitimate as door to door salesmen. OP just put up a proverbial "no soliciting" sign.
Have you considered using crowdsec?
I set it up in a fairly superficial way, and there are only a handful (two or three) rules that can be applied on the free tier, and I'm a tight-ass.
It's still running, but it doesn't seem to block much - but that might be because I didn't put enough time into "doing it properly".
Are there any downsides to crowdsec?
You end up sharing signals (IPs) to their crowd-sourced bad IP databases, but only get 3 free IP lists on the free plan. To get some of the bigger IP lists you need an enterprise plan at $2500 a month.
Essentially they use the free customers to build the lists that drive their enterprise sales, which is fair enough as you get to use their free dashboard and open source software. But to me it seems they're really only targeting enterprise customers as a business.
Hi all and @snorremd, (Philippe from the CrowdSec team)
The $2.5K / month was for enterprise, but we didn't correctly understand the need and converted it to 2 optional prices: $1K for LTS and $1K for support. This will be reflected in an update on our pricing page this week; thanks, everyone, for your patience in this matter.
It took us time to segment our four products properly. We wanted to avoid pivoting later, as it happened to so many other open-source tools recently.
* The Security Engine (IDS+WAF+IPS) is for everyone. (Free / MIT license, three free blocklists)
* Its SaaS companion is made for anyone with a security engine. (Generous free tier, $31/engine/month for pro industrialization features, 3 premium blocklists + all free ones. Volume discounts avail. We'll soon merge SecOPS and enterprise plans, all features at the price of the SecOPS plan)
* Blocklists are made for M/L entities to use. (In the range of a few ten of K$ yearly, all blocklists, unlimited)
* The Full CTI database is intended to be used by L/XL Corps. (It contains 32 fields about ~25M IP, with industry targeted, country targeted, tech stack targeted, AS and range reputation, etc. Local replication at your place, several updates/day. 10 to 20K$ / month, depending on some parameters)
PS: As we did for the Olympic Games 2024, we'll also give away a blocklist for the US presidential election of the most aggressive IP against US assets. With a quarter of a million machines running CS, we have a fairly good overview of this, in real-time.
Safer together.
I was about to say out loud that it was a (kind of) relief not finding Google in your lists, then I found https://github.com/UninvitedActivity/UninvitedActivity/blob/...
I need to check my exact configuration, but whilst I've got 1e100 in a list, I think I've got an exception for it elsewhere.
Ie. Whilst it's been detected as uninvited activity, it causes issues when blocked, so it's excluded from the blocking.
Just install fail2ban.
For SSH, changing to a random port number resulted in zero connection attempts from bots for months on end. It seems bots just never bother scanning the full 65535 port range.
For most of my VMs there's no ssh running. I use wireguard to connect to a private IP. I haven't done this on the bare metal yet but I might. Though barring exploits like we had recently nobody is getting into a server with either strong passwords or certificates. Fail2ban in my eyes is a log cleaner. It's not useful for much else.
it bans the bad ips, isn't that worth running?
But what does that actually accomplish?
stops the attack from happening from those ips?
> the full 65535 port range
Note that putting SSH on a high port has security implications.
What security implications?
A server with fail2ban can be DOSed by sending traffic with spoofed IP addresses, making it unavailable to the spoofed IP addresses (which could be your IP, or the IP of legitimate users).
That is typically a bigger problem than polluting your logs with failed login attempts.
What would spoofing the IP of a packet when the underlying protocol requires a two-way handshake accomplish?
With CGNAT, a prepaid sim card and some effort, you can make them block a whole legit ISP in a few days without spoofing anything.
But the SIM card would need to from the particular ISP you are trying to block, otherwise you would be coming out of a different isps cgnat range, no?
Yeah, but many ISPs, especially smaller, have a same pool of ip addresses for all of their users in that 'region' (for whatever size and definition of a "region").
So with some effort, reconnections from/to a mobile network and many tcp/ip connectons, you can achieve that your device is connecting to the attacked site with many different (if not all) IP addresses from the ISPs pool, and if each of those is blocked, none of the legit users (using the same IP address pool) can access those services anymore.
Look at services like digitalocen with cheap virtual machines... even amazon... so many of their IP addresses were used for something "bad" and got blocked, that running a legit service on any of them can mean that a portion of your potential users won't be able to access them, because they'll be on some block list somewhere.
Don't most isps check the source address before relaying traffic nowadays? I know at least one of mine started a few years ago (and we had no idea we were asymmetrically routing our traffic till then...)
fail2ban is another layer which is susceptible to abuse and vulnerabilities. It might keep noise out of your logs but at a huge cost. I'd rather just change the SSH port to something non-standard and write it down.
Add it port knocking and this is how I do it. nftables ftw
> and block those IP addresses from the service ports since the traffic source isn't to be trusted.
This means that you are locking out anybody using a paid VPN service, if any other customer of that same VPN service does any kind of scan.
Something I didn't mention in my original comment, but have mentioned in another reply somewhere, is that I have the websites running behind Cloudflare, and I allow Cloudflare's ASN into port 443 but block everything else.
Essentially outsourcing the security of port 443 to Cloudflare.
My use-case is "hobby / enthusiast", so I believe I'm losing nothing and the "world at large" is losing nothing from this setup. Having said that, all policies on this kind of thing need to be strongly thought about in terms of their applicability to the use-case.
Were I running a small or even medium business, I'd probably do it exactly the same with maybe a bit more of an eye on what's being blocked and the ownership of the IP addresses, and I'd have some stats to point to on the range of sources of legitimate traffic. It'd have to be a pretty big, international business for it to cause much of an effect (although I'm talking well out of school here because I don't have anything at stake).
Flipside, though, I have my outgoing traffic routed through a couple of different exits, and I've had to make specific rules for some websites that block traffic from VPNs and VPSs, which is annoying, so I'm not completely dismissing your point.
Lastly, however, at all scales I'd still block the Internet Scanners for reasons I've given elsewhere. Blocking them massively cut down on the uninvited activity - again, it's not about making clean logs, but it really helped clear a lot of the noise.