Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why you are scanned so soon

    Scheduled Pinned Locked Moved
    Off-Topic & Non-Support Discussion
    4
    4
    527
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AndyRHA
      AndyRH
      last edited by

      I found it interesting that if you get a certificate for your web site you are publicly announced and apparently scanned immediately by the bad guys.

      https://isc.sans.edu/diary/Survival+time+for+web+sites/30170/?is=55349e6df1ae7d0eb1f5f3ef0a11b2b29cccb62b3a13d647441b48fa18c8f5d6

      o||||o
      7100-1u

      johnpozJ NollipfSenseN GertjanG 3 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @AndyRH
        last edited by johnpoz

        @AndyRH said in Why you are scanned so soon:

        https://isc.sans.edu/diary/Survival+time+for+web+sites/30170/?is=55349e6df1ae7d0eb1f5f3ef0a11b2b29cccb62b3a13d647441b48fa18c8f5d6

        Yeah that is interesting - but not like wouldn't be unheard of. Any data like this would be valuable to the bad guys. I find it funny that the first scan was from DO.. Good thing I block all their known IPs, along with all the other scanners that I know about..

        As the article points out - such info will be made use of, while sure could be used for good.. All good things can be used for bad as well, when the genie is let out of the bottle on any new tech, its bound to be used for bad..

        There is no possible way any actual legit user would be coming from any of those scanner IPs, etc. There is little reason not to block them, etc.. While they think they might be doing good, and maybe in the long run maybe the good can out weigh the bad.. But for the couple of services I provide to my users, those scanner services aren't doing me any favors so I block them all, shoden, stretchoid and shadowserver just a few of them off the top my head.

        The best part of that article is the mention of making sure your service is secure before exposure to the public internet.. That should be more stressed to be honest..

        And only allow IPs from the countries my users are coming from as well.. Pfblocker can really shine here as how to maintain lists for such use.

        And another thing that uses should take away from reading such an article is the value of looking at logs.. Both firewall, and the services you have exposed to catch IPs that are talking to your services that shouldn't be..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • NollipfSenseN
          NollipfSense @AndyRH
          last edited by

          @AndyRH Most of the time the info came from the domain registrar, especially if one didn't register the domain as private, as it has to be public info.

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @AndyRH
            last edited by

            @AndyRH said in Why you are scanned so soon:

            I found it interesting that if you get a certificate for your web site you are publicly announced and apparently scanned immediately by the bad guys.

            Ask for a certificate (a very public thing) from some CA, then know that they, the CA's, have to add you to the unique list, the same list half the computer related part of Havard (university in the US) is tapped into so they obtain data for their theses.
            Something like that.

            @johnpoz said in Why you are scanned so soon:

            would be valuable to the bad guys

            Hey, these guys are the future good guys, right ? No ?

            Anyway : you use an IPv4 : you get 'scanned'. Most of it is innocent.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post