IDGlobal VPS blocks Censys scans

What is Censys

https://censys.io

Censys is a new search engine for searching networked device information. Security experts can use it to evaluate the security of their implementations, and hackers can use it as a powerful tool for early detection of attack targets and collection of target information .

Censys function introduction

Hackers and security experts now have a new and powerful analysis tool, the Censys search engine, very similar to the most popular search engine, Shodan. Censys is a free search engine originally released in October by researchers at the University of Michigan and currently powered by Google.

The Censys search engine is capable of scanning the entire Internet, Censys scans the IPv4 address space daily to search all networked devices and gather relevant information, returning an overview of configuration and deployment information about resources such as devices, websites, and certificates Report.

The official Censys website describes the search engine as follows:

“Censys is a search engine that allows computer scientists to learn about the devices and networks that make up the Internet. Censys is powered by Internet-wide scanning, which enables researchers to find specific hosts and create an overall report on configuration and deployment information for devices, websites, and certificates. ”

Censys principle and architecture

Similar to Shodan, Censys maintains a complete database of every device exposed on the Internet. For a hacker who wants to search for a specific target and needs to gather information about the target's configuration, censys is undoubtedly a privileged tool for him. At the same time, security experts can easily lock down poorly protected devices on the Internet.

Zakir Durumeric, University of Michigan researcher who led the Censys project and inventor of ZMap, said:

“From ATMs and bank safes to industrial control systems in power plants, we've found the information in them all. This is very worrying. ”

Censys was developed as part of an open source project to maintain a “complete database of connected devices” to help security professionals evaluate the security of products and services on the internet.

Censys uses ZMap and ZGrab. Among them, ZMap is a network scanner that scans specific machines for security vulnerabilities that may be exploited. It analyzes 4 billion IP addresses and collects information on devices on these IP addresses every day; ZGrab is an application Layer scanner. In addition, the architecture of Censys and the functions implemented are detailed in this research paper.

Finding the key to IoT device reuse

I suggest interested readers read "A Search Engine for the Internet's Dirty Secrets", MIT's technical review on Censys.

Censys is already being used by security experts, and recently researchers from the SEC Advisory Division found that IoT devices reuse encryption keys, putting millions of devices at risk (Related Freebuf). Experts analyzed 4,000 firmwares and found only about 580 different private keys. Using Scan.io and Censys.io led them to discover widespread reuse of the same set of passwords, with only 230 of the 580 passwords in use.

How to block for VPS security?

1. Block IP segment

Using the pagoda environment shielding tutorial: pagoda home page ==>> security ==>> firewall ==>> blocking IP

162.142.125.0/24
167.94.138.0/24
167.94.145.0/24
167.94.146.0/24
167.248.133.0/24
192.35.168.0/23
2620:96:e000:b0cc:e::

Block the above IP segment

2. Non-pagoda environment shielding Censys tutorial

Install ipset

#Debian/Ubuntu system
apt-get -y install ipset
#CentOS system
yum -y install ipset< br />Create a rule

#Create a rule named censys
ipset -N censys hash:net
Download link: https://hostloc.com/forum.php?mod= attachment&aid=MTUxNDUzfDkxYmMyMzM2fDE2NDAwNjQxMTF8MHw5NDI2ODI%3D (copy the link to open in browser)

Download censys.zone to the /root directory (or in other directories, the following command path needs to be changed)

Remember to unzip

#Add IP segment to censys rules
for i in $(cat /root/censys.zone ); do ipset -A censys $i; done
Block

iptables -I INPUT -p tcp -m set --match-set censys src -j DROP
Unblock

iptables -D INPUT -p tcp -m set --match-set censys src -j DROP
Shield Censys-specific user agent
Pagoda environment
Pagoda Nginx Firewall==>> Global Configuration==>>User-Agent Filtering==>> Edit Keyword Filtering

Add after parenthesis

censys non-pagoda environment, Nginx configuration file plus

if ($http_user_agent ~* "^(?=.*censys)") {
            return 403;
        }
Cloudflare
Firewall—Tools—IP Access Rules

Block IP

Firewall — Tools — User Agent Blocking

Block User-Agent

censys' IP and User-Agent are now

162.142.125.0/24
167.94.138.0/24
167.94.145.0/24
167.94.146.0/24
167.248.133.0/24
192.35.168.0/23
< code>2620:96:e000:b0cc:e::
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)

Official latest document ———— How not to be scanned
The above IP and UA may not be the latest, please refer to the official document for the latest, but the method is the same.

https://support.censys.io/hc/en-us/articles/360043177092-from-faq