Shodan found Dropbear

johnpoz

@WhoAmI68 said in Shodan found Dropbear:

Anyway shodan logs that It doesn't just happen :).

Did you maybe have a unifi ap open to the internet. Did/do you have a router in front of pfsense that might have had remote access enabled?

There was just some other thread that popped up that I saw about dropbear from a while ago - pfsense doesn't run dropbear - never has as far back as I can remember.. I don't even believe it did from before it was pfsense, back when it was m0n0wall..

And that version of dropbear while quite old today.. but for example my unifi APs ran that for longest time- don't get me started on why they haven't updated them in like forever, and when they actually did - it was still old, even when they deployed it.

Hallway-BZ.6.7.8# ssh -V
Dropbear v2022.83
Hallway-BZ.6.7.8# 

the current version is 2024.86, why are unifi AP like 2 year old version? ;)

On a side note - I block all those known scanner things like shodan.. There is zero reason why they should put into a public DB the ports that are open.. So I block all those shitty scanners..

edit: good seems my blocks are working, search my pubic IP and got this

I have multiple ports open - but screw those guys they have no valid reason to list the ports I have open in a public DB.

Antibiotic

@johnpoz said in Shodan found Dropbear:

So I block all those shitty scanners

Inbound or both traffic?

johnpoz

@Antibiotic why would anything on my network ever be talking to those IPs.. But they do send a lot of inbound traffic, which they don't need to see what ports I have open.

Antibiotic

@johnpoz Ok, Inbound than)))

MoonKnight

@johnpoz

Same here :) I have been using UniFi for many years now, including switches and APs. I have never enabled UPnP & NAT-PMP on pfSense to prevent the automatic opening of ports from various devices that use UPnP :)

WhoAmI68

@johnpoz

@johnpoz said in Shodan found Dropbear:

Did you maybe have a unifi ap open to the internet.

No, i didn't.

@johnpoz said in Shodan found Dropbear:

Did/do you have a router in front of pfsense that might have had remote access enabled?

Yes, ISP routers have remote access. However, they do not use port 2222.

@johnpoz said in Shodan found Dropbear:

On a side note - I block all those known scanner things like shodan.. There is zero reason why they should put into a public DB the ports that are open.. So I block all those shitty scanners..

I use Spamn DB list to block Shodan, Apollo etc. So In this situation, I do not understand how it was possible to scan.

johnpoz

@WhoAmI68 said in Shodan found Dropbear:

I use Spamn DB list to block Shodan

what? How is that going to block it?

WhoAmI68

@johnpoz Normally like ipset or pfblocker feeds list :).

johnpoz

@WhoAmI68 and why would you think the scanning IPs from shodan would be in a spam db?? Do you think they also send spam from these IPs?

WhoAmI68

@johnpoz At abuseipdb.com you can check it out.