banner
libxcnya.so

libxcnya.so

Nothing...
telegram
twitter
github
email

Prevent Censys from obtaining your origin server IP

Introduction to Censys#

Hackers and security experts now have a new powerful analysis tool called Censys search engine, which is very similar to the popular search engine Shodan. Censys is a free search engine initially released by researchers at the University of Michigan in October and is currently supported by Google.

The Censys search engine can scan the entire Internet. Censys scans the IPv4 address space every day to search for all connected devices and collect relevant information, and returns a comprehensive report on the configuration and deployment information of resources such as devices, websites, and certificates.

The official website of Censys describes the search engine as follows: "Censys is a search engine that allows computer scientists to understand the devices and networks that make up the Internet. Censys is driven by Internet-wide scanning, which allows researchers to find specific hosts and create a comprehensive report on the configuration and deployment information of devices, websites, and certificates."

Principle#

If we randomly enter a domain name on Censys, we will see the following scenario:

1

The principle is very simple. Censys scans the entire Internet every day and accesses the scanned IP:443 or https://IP. If you haven't set a separate certificate for the IP, the result of the access will be like this:

2

Yes, it will directly expose your domain name, and then Censys will consider that the IP is related to this domain name, and record it in their database (even if you use a CDN, it won't help, they will directly attack your origin server).

Prevention#

Blocking with iptables#

The following are the IP ranges that Censys has publicly/unpublicly disclosed. You can safely block them:

iptables -I INPUT -s 162.142.125.0/24 -j DROP

iptables -I INPUT -s 167.94.138.0/24 -j DROP

iptables -I INPUT -s 167.94.145.0/24 -j DROP

iptables -I INPUT -s 167.94.146.0/24 -j DROP

iptables -I INPUT -s 167.248.133.0/24 -j DROP

iptables -I INPUT -s 192.35.168.0/24 -j DROP

iptables -I INPUT -s 74.120.14.0/24 -j DROP

iptables-save

Copy and paste the above commands directly into the terminal to run them. If you need other purposes, the following content is easy to copy:

162.142.125.0/24
167.94.138.0/24
167.94.145.0/24
167.94.146.0/24
167.248.133.0/24
192.35.168.0/24
74.120.14.0/24

Note: If you are using the Baota panel, modifying the port rules in the Baota panel will overwrite the original iptables rules. Therefore, it is recommended to block these IP ranges in the IP rules of the Baota firewall. Of course, if your service provider's firewall supports it, it is better to block these IP ranges in the service provider's firewall.

Nginx configuration file#

After Nginx 1.19.4, a feature was added that can reject SSL/TLS handshake requests from clients. We can reject SSL/TLS handshake when Censys accesses port 443 of the server IP.

If you haven't set a default site in the Baota panel/you are a pure LNMP user, add the following to the main Nginx configuration file:

server {
    listen 443 ssl default_server;
    ssl_reject_handshake on;
}

3

Save and restart Nginx.

If you have set a default site in the Baota panel, you need to add ssl_reject_handshake on; to your default site configuration file at a similar location.

4

Warning: This operation will cause the default site to reject SSL/TLS handshake requests from clients. If you need to use the default site, do not use this method.

5

Afterwards, when you access your IP with a browser, it will look like this:

Use a certificate#

4

You can also create a self-signed certificate, as long as it is unrelated to your domain name. It is best to enable "HTTPS Anti-hijacking" in the Baota website.

5

Solution#

3

After doing these, when you search your IP directly on Censys, it will look like this. By implementing these three methods, you can avoid most of the asset mapping records of your domain name and your origin server IP.

Postscript#

In addition, based on my experience, if you use a CDN, do not resolve your domain name to your IP before using the CDN, otherwise it may be recorded in the IP History of some platforms.

That's about it. If my content is helpful to you, please like, comment, repost, and reward. Thank you, meow.

This article is synchronized and updated to xLog by Mix Space.
The original link is https://blog.nekorua.com/posts/maintain/18.html


Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.