Hi Jordan, Sincere thanks for sharing your script. Also thanks to others for their input and comments.
Regards Nino > On 4 Jan 2019, at 10:19 am, Jordan Geoghegan <jgeoghega...@gmail.com> wrote: > > Sorry for the double post, I got the link to the script wrong... woops. > > The actual link is: > > www.geoghegan.ca/pfbadhost.html > > > On 01/03/19 15:06, Jordan Geoghegan wrote: >> Hello, >> >> I wrote a small script called 'pf-badhost' to block shodan and other >> annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html to >> see the script. >> >> pf-badhost also blocks ssh bruteforcers and other annoyances by loading a >> list of regularly updated badhost lists from trusted sources. If you only >> want to block shodan specifically, just comment out the few lines that >> download the other blocklists, and you should be good to go. I've had a >> number of people give good feedback on it, and they've reported it blocking >> the scanners and baddies quite effectively; BSDNow also did a piece about >> it, so it seems to work alright. >> >> >> Cheers, >> >> Jordan >> >> >> On 01/02/19 22:15, Antonino Sidoti wrote: >>> Hi, >>> >>> I wish to block all attempts by “shodan.io”. Basically I run an OpenBSD >>> (6.4) mail server using OpenSMTPD and notice quite bit of traffic all >>> stemming from “shodan.io". I have PF configured so I was wondering how to >>> block such a domain from making any attempts to connect to my server. There >>> is little information about Public IP addresses being used by "shodan.io" >>> scanner, so making an IP list for PF may be futile. >>> >>> Could someone suggest a possible option? I was thinking along the lines of >>> “relayd” or "squid proxy”. My server is hosted at Vultr and has a single >>> WAN interface with Public IP. There is no internal LAN interface. >>> >>> For those who do not know about “shodan.io”, please do a search and you >>> will discover what it does. >>> >>> Regards >>> >>> Nino >>> >> >
