banner
libxcnya.so

libxcnya.so

Nothing...
telegram
twitter
github
email
HomeArchives

Prevent Censys from obtaining your origin server IP.

#Censys#防护#IP#Nginx#宝塔面板114
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Censys is a powerful search engine similar to Shodan, allowing hackers and security experts to scan the entire internet for connected devices and collect information on resources like devices, websites, and certificates. It can be used to understand the composition of the internet and create overall reports on device configurations. Users can prevent Censys from accessing their IP by blocking specific IP ranges using iptables or configuring Nginx to reject SSL/TLS handshake requests. It is recommended to avoid linking your domain to your IP before using a CDN to prevent IP history records.

Introduction to Censys#

Hackers and security experts now have a powerful new analysis tool called the Censys search engine, which is very similar to the popular search engine Shodan. Censys is a free search engine initially released by researchers at the University of Michigan in October and is currently supported by Google.

The Censys search engine can scan the entire Internet. Censys scans the IPv4 address space every day to search for all connected devices and collect relevant information, returning a comprehensive report on the configuration and deployment information of resources such as devices, websites, and certificates.

The official website of Censys describes the search engine as follows: "Censys is a search engine that allows computer scientists to understand the devices and networks that make up the Internet. Censys is driven by Internet-wide scanning, which enables researchers to find specific hosts and create a comprehensive report on the configuration and deployment information of devices, websites, and certificates."

Principle#

If we enter a domain name on Censys, we will see the following scenario:

1

Its principle is very simple. Censys scans the entire Internet every day and accesses the scanned IP:443 or https://IP. If you haven't set a separate certificate for the IP, the result of the access will be like this:

2

Yes, it will directly expose your domain name, and then Censys will consider that the IP is related to this domain name, recording it in their database (even if you use a CDN, it won't help, they will directly target your origin server).

Prevention#

Blocking with iptables#

The following are the IP ranges that Censys has publicly/unpublicly disclosed. You can safely block them:

iptables -I INPUT -s 162.142.125.0/24 -j DROP

iptables -I INPUT -s 167.94.138.0/24 -j DROP

iptables -I INPUT -s 167.94.145.0/24 -j DROP

iptables -I INPUT -s 167.94.146.0/24 -j DROP

iptables -I INPUT -s 167.248.133.0/24 -j DROP

iptables -I INPUT -s 192.35.168.0/24 -j DROP

iptables -I INPUT -s 74.120.14.0/24 -j DROP

iptables-save

Copy and paste the above commands directly into the terminal to run them.
If you need them for other purposes, the following content is easy to copy:

162.142.125.0/24
167.94.138.0/24
167.94.145.0/24
167.94.146.0/24
167.248.133.0/24
192.35.168.0/24
74.120.14.0/24

Note: If you are using the Baota panel, modifying the port rules in the Baota panel will overwrite the original iptables rules. Therefore, it is recommended to block these IP ranges in the IP rules of the Baota firewall. If your service provider's firewall supports it, it is even better to block these IP ranges in the service provider's firewall.

Nginx configuration file#

After Nginx 1.19.4, a feature was added that allows rejecting SSL/TLS handshake requests from clients. We can reject the SSL/TLS handshake when Censys accesses the server's IP on port 443.

If you haven't set a default site in the Baota panel/you are a pure LNMP user, add the following to the main Nginx configuration file:

server {
    listen 443 ssl default_server;
    ssl_reject_handshake on;
}

3

Save and restart Nginx.

If you have set a default site in the Baota panel, you need to add ssl_reject_handshake on; to your default site configuration file at a similar location.

4

Warning: This operation will cause the default site to reject SSL/TLS handshake requests from clients. If you need to use the default site, do not use this method.

5

Afterwards, when you access your IP with a browser, it will look like this:

Use a certificate#

4

You can also create a self-signed certificate as long as it is unrelated to your domain name.
It is best to enable HTTPS Anti-Cross Site in the Baota website.

5

Solution#

3

After doing all of these, when you search your IP directly on Censys, it will look like this.
By implementing these three methods, you can avoid most asset mapping records of your domain name and your origin server IP.

Postscript#

In addition, based on my experience, if you use a CDN, do not resolve your domain name to your IP before using the CDN, otherwise it may be recorded by IP History platforms.

That's about it. If my content is helpful to you, please like, comment, share, and reward. Thank you, meow.

This article is synchronized and updated to xLog by Mix Space.
The original link is https://blog.nekorua.com/posts/maintain/18.html

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.