Products > Security

Shadow Server. Like literal spooks.

(1/4) > >>

paulca:
Sep  9 05:22:17 mailgw postfix/smtpd[39273]: connect from scan-14.shadowserver.org[184.105.247.195]
Sep  9 05:22:17 mailgw postfix/smtpd[39273]: warning: non-SMTP command from scan-14.shadowserver.org[184.105.247.195]: GET / HTTP/1.1
Sep  9 05:22:17 mailgw postfix/smtpd[39273]: disconnect from scan-14.shadowserver.org[184.105.247.195] unknown=0/1 commands=0/1


This is not unique.  This is at least once a day, sometimes twice.  I already rejected the previous ip on the firewall, I may need to find a way to block the whole domain.  Probably with a ELHO restrictions, but as you can see in the case above, it doesn't even attempt SMTP, it's checking to see if I'm hidding a webserver on port 25!

Who is shadow server? 
https://dashboard.shadowserver.org/

They are a government funded mass "white hat" hacking ring who claim to be helping server admins identify vulnerabilities and to provide a cyber threat overview from the UK (and possibly other) IP pools.

They where onto the mail server within hours of it's MX record going live.  Most obviously because it's a .uk domain and they doubtless have hooks into the Nominet.uk registra.

I'm pondering if I should block it all.  Like use Kali to get a full domain scan for their bots and then block the whole IP range....  or maybe it is genuinely being helpful and if it finds something it will email postmaster@ ?  A bit of googling suggests they are "legit", but with what scope do they define "legit".  If they find a vulernability do they tell me before or after they use it for their own purposes?

coppercone2:
only a fool would do nothing based on some cover story on a web page

6mo later you find out its some front run by NK

Monkeh:
And we're fretting over this why? If you don't want anyone trying to attack your service, stop running it.

paulca:

--- Quote from: Monkeh on September 09, 2023, 01:40:19 pm ---And we're fretting over this why? If you don't want anyone trying to attack your service, stop running it.

--- End quote ---

That's a bit like saying if you don't want people picking the lock on your front door, don't put a lock on it.  If you don't want people breaking into your car, don't buy a car!

Monkeh:

--- Quote from: paulca on September 09, 2023, 02:32:53 pm ---
--- Quote from: Monkeh on September 09, 2023, 01:40:19 pm ---And we're fretting over this why? If you don't want anyone trying to attack your service, stop running it.

--- End quote ---

That's a bit like saying if you don't want people picking the lock on your front door, don't put a lock on it.  If you don't want people breaking into your car, don't buy a car!

--- End quote ---

You run a service on a public IP, it will be a target. You cannot prevent that, and getting wound up by one random organisation doing some basic scanning is a waste of energy. Active mapping of exposed services has been going on for years on both sides of the fence and you will never succeed in blocking every attempt. Accept that you're running a service exposed to the public and will receive unwanted traffic.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod