[HN Gopher] Check if your IP is exposing any ports. If you see 4...
___________________________________________________________________
Check if your IP is exposing any ports. If you see 404 page,
nothing is exposed
Author : susam
Score : 269 points
Date : 2020-09-22 17:36 UTC (5 hours ago)
(HTM) web link (me.shodan.io)
(TXT) w3m dump (me.shodan.io)
| tyingq wrote:
| I get 401/Authorization Required. Hrm. Something else to add to
| my list.
| novaleaf wrote:
| Is there any service like this, but can show details for the IP
| address even if no services are detected?
|
| like for my home IP address, I get 404. It would be nice to use a
| service that can tell me whatever is known about the ip (geo,
| hostnames, etc)
| Wowfunhappy wrote:
| Huh, port 80 is open. That's bizarre. It's closed on the router.
|
| What should I do?
|
| Edit: Oh, I see, I have to actually click the link... that gives
| a "Forbidden" message.
|
| Edit2: And only works locally.
| pengaru wrote:
| If you're seeing a "403 Forbidden" status code, the port is
| _open_ and the status code is coming back at the application
| level from a web server.
|
| Which leaves you open to attack if the web server has
| vulnerabilities.
| Wowfunhappy wrote:
| Thanks for confirming. It seems to only work on my local
| network (ie not on my phone if I disconnect from wifi), so I
| think all is well. Not entirely sure what shodan was seeing,
| but I suspect it's IP rotation (I haven't had this IP for too
| long).
| why-el wrote:
| probably IP rotation by the ISP?
|
| Edit: saw your Edit. :)
| Just1689 wrote:
| Just check your home IP from your phone (off wifi). A friend
| found port 80 was open on the public IP and closed on the
| LAN....
| twelfthnight wrote:
| For others seeing 403 Forbidden:
|
| Check if you are on a VPN as I was seeing 403 Forbidden while
| on the VPN and 404 when I turned if off.
| achillean wrote:
| Yes, we block access to the website from known VPNs/ Tor/
| proxies/ cloud
| 3dbrows wrote:
| I believe Netcraft still produce this sort of report on a monthly
| basis and use it to record (among other things) the relative
| popularity of webservers. At least, they did when I worked there
| many moons ago; and they monetised such technology. Biggest
| hurdle isn't the software or execution time: rather, it's making
| an agreement with your ISP/hosting company wherein they allow you
| to portscan the entire internet on a regular basis without
| flagging it as abuse.
| SkyMarshal wrote:
| I'm a little confused on my results. I'm getting an actual
| website with data on it, not a 404. However, in one of the data
| boxes on the site, I get "HTTP/1.1 404 Not Found".
|
| Specifically, on the right side of the screen there are two
| boxes. The top one is titled "Open Ports", and lists a single
| port in it, 7547.
|
| But the box below that is titled "// 7547 / TCP /". In that box
| is the text "HTTP/1.1 404 Not Found".
|
| So..., am I leaking port 7547, or not? (Fwiw, http://portscan.me/
| doesn't find any leaked ports, and sees my host IP as offline).
| Sohcahtoa82 wrote:
| Certain ISP-supplied routers listen on port 7547. It's used by
| your ISP to access your router remotely to perform software
| upgrades and the like.
|
| Of course, that's just what they claim. Your level of paranoia
| that it will get hacked and trust in your ISP to not use it to
| spy on you or override your own configuration is up to you.
| noir_lord wrote:
| My ISP was "nice" enough to supply a router that could be
| flashed with DD-WRT (it's fiber (to the home) so it's just a
| box on the wall straight into the router, so whats actually
| running on the router is under my control).
| Offpics wrote:
| The same here. Without looking at Google I guess this is the
| open port for ISP tech support?
| mey wrote:
| If you don't get an entirely white page with just
| 404 Not Found The resource could not be found.
|
| then you are leaking information remotely (or were the last
| time they scanned your IP address). It sounds like that port
| was accessible at one point.
| jlgaddis wrote:
| The service running on that port is for remote management by
| your ISP [0]. Just like damn near everything else nowadays, it
| uses HTTP and the 404 status is being returned by the web
| server running on that port.
|
| ---
|
| [0]: https://en.wikipedia.org/wiki/TR-069
| wazoox wrote:
| For years I've been using the grc.com port scan, it always served
| me well :)
| bhartzer wrote:
| Looks like it's showing that port 4567 is open. Is that something
| that I need to close?
| noja wrote:
| Give my ip to Shodan? No thanks - is this the company that joined
| the ntp pool to collect ipv6 ips?
|
| Edit: yep https://arstechnica.com/information-
| technology/2016/02/using...
| wil421 wrote:
| They have already crawled your IP.
| Twixes wrote:
| They don't need your IP, they've already got it. They scan all
| of IPv4 around the clock.
| Jimmc414 wrote:
| This looks like a great service. Thank you.
|
| > Shodan has servers located around the world that crawl the
| Internet 24/7 to provide the latest Internet intelligence.
|
| That needs to sink in for anyone ever allowing themselves to
| believe the fallacy that they can slip under the radar with a
| security vulnerability or sleeping soundly with security by
| obfuscation. You aren't a computer port hiding on one specific
| computer on the internet, you are data trying to hide in a
| relational database.
| lima wrote:
| Nah, Shodan is just scanning a small subset of ports. Just move
| your vulnerable server to a random port and it won't find it!
| /s
| divbzero wrote:
| Does IPv6 reduce the feasibility of full Web port scans? If so
| that to me would be a compelling reason to use IPv6 beyond
| "it's the right thing to do".
| jimrandomh wrote:
| Yes, it does.
| lostlogin wrote:
| I'm not sure how this works but there is something odd about it.
| If I connect from a VPN it shows results from my public IP, not
| the VPN server's public IP. It does this on multiple VPNs,
| despite my traffic going over the VPN. Is it caching some device
| identifier?
|
| Edit: weird, if I connect the VPN then open a private browser tab
| it then checks the VPN IP. A simple refresh of the tab once VPN
| is up doesn't work.
|
| Edit 2: I'm an idiot. I just noticed the page URL.
| wnevets wrote:
| I've always been a fan of ShieldsUP!
|
| https://www.grc.com/shieldsup
| sidewndr46 wrote:
| I think I've heard of this before but never actually used it.
| It is interesting because it misses the ports I have that are
| wide open, maybe it doesn't scan all ports. Also, I run some IP
| block whitelists for ports under 1024. So they must be scanning
| from outside the regions I allow traffic on those ports from.
| wnevets wrote:
| Service Ports is the first 1056, you can also fill in
| specific ports you want to check.
| hamburglar wrote:
| Wow, I haven't thought about GRC in a long time. I've always
| thought the guy was somewhat of a crackpot/sensationalist/self-
| promoter because he seemed to have a standard recipe of finding
| some interesting-to-him feature/aspect of a system and then
| declaring it a glaring security problem and then writing
| sensationalized screeds about how everyone needs to use his
| utilities to protect themselves from it (I swear, he probably
| shouted about the world ending because of XP raw sockets for a
| decade longer than it was even relevant). I kind of liked SQRL
| as a concept but I also remember thinking, "ugh, but it's _this
| guy_ ". He seems to have a decent amount of technical knowledge
| but a lot of what he writes just seems to be about a need to be
| considered an expert at something, aimed at people who don't
| know any better. Just as an example, the idea of people
| referring to his web page [1] to validate the cert fingerprints
| of popular websites is ... really bizarre from a security
| standpoint. I understand him having concern (as do many of us)
| about the security of the CA hierarchy, but where did _he_ get
| the fingerprints? How did he validate them? And why should
| anyone trust him to have done so? Is his web page more secure
| than the CAs?
|
| [1] https://www.grc.com/fingerprints.htm
|
| ... but I digress. Apparently I have some very strong
| skepticism of Steve Gibson that I wasn't even aware of until I
| had a visceral reaction to ShieldsUp! (which is probably a
| perfectly fine service) :D
| [deleted]
| anon776 wrote:
| If that link does not work, just click on the "what does shodan
| know" link on this site. http://dwerp.io
|
| Turns out the port my DVR was on was in their DB.. Guessing I was
| owned at one point.
| lisper wrote:
| Told me I have port 1723 open, which was a surprise. But it did
| NOT tell me that I have port 22 open, which I do. False negatives
| are a serious problem for a service like this, much more serious
| than false positives.
| xoa wrote:
| Have you had port 22 open for a while, and continuously? It's
| using cached results not an active scan. False negatives though
| would definitely be worse in this application.
|
| Also at least for me it shows nothing while I do have ports
| open, but that's because I whitelist limited IP ranges or
| single IPs for ports rather than just opening them up to the
| net in general. I have a VPS Wireguard bastion I bounce through
| for remote LAN access. That itself is a good reminder though
| that it's a limited tool, if a system in my whitelisted range
| was compromised it'd suddenly have more options, and conversely
| if I already had something lazy or malicious (maybe IOT,
| compromise or both) running on my network that was being
| careful about what it talked to a port scan alone wouldn't
| necessarily root it out.
|
| Still a potentially useful high level pass for low effort,
| could make one aware of some surprise devices or fat finger
| mistakes or the like. But "If you see 404 page, nothing is
| exposed" is overstating it.
| lisper wrote:
| > Have you had port 22 open for a while, and continuously?
|
| Yes.
|
| > "If you see 404 page, nothing is exposed" is overstating
| it.
|
| Exactly.
| sushisource wrote:
| Yeah, it's definitely missing some stuff, at least. I have a
| port open for WireGuard VPN traffic that it completely misses,
| but that's UDP so maybe that's why.
| ReverseCold wrote:
| It shouldn't be able to find WireGuard ports. WireGuard drops
| all traffic that isn't from a key it trusts, so it's
| impossible to tell if you have WireGuard running on a port.
| tru3_power wrote:
| Had a similar occurrence, have a port open for some testing I'm
| doing and it did not report it.
| lisper wrote:
| That is unsurprising. It doesn't check in real time, it
| checks periodically and caches the results. But my ssh is
| obviously running continuously so it really should have
| caught it.
|
| It _did_ catch port 22 on another IP address that I have.
| this_user wrote:
| This seems to be largely useless if you have a dynamic IP.
| According to the scan, I have FTP and HTTP open, but I just
| double checked, and that is definitely not the case.
| sdflhasjd wrote:
| So, as someone else mentioned, it appears to show historical
| records, I'm not sure what the TTL on these is, but some of the
| open ports on my dynamic IP are from previous "owners" of the IP,
| aren't actually open any more.
|
| For the HTTP/S ports, it displays the response headers, including
| timestamp, so I went through my access logs and found the record,
| if anyone is curious: 71.6.165.200 - -
| [xx/Sep/2020:xx:xx:xx +0000] "GET / HTTP/1.1" 200 612 "-"
| "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
| Gecko) Chrome/41.0.2228.0 Safari/537.36" 71.6.165.200 - -
| [xx/Sep/2020:xx:xx:xx +0000] "GET /robots.txt HTTP/1.1" 404 163
| "-" "-" 71.6.165.200 - - [xx/Sep/2020:xx:xx:xx +0000] "GET
| /sitemap.xml HTTP/1.1" 404 163 "-" "-" 71.6.165.200 - -
| [xx/Sep/2020:xx:xx:xx +0000] "GET /.well-known/security.txt
| HTTP/1.1" 404 163 "-" "-" 71.6.165.200 - -
| [xx/Sep/2020:xx:xx:xx +0000] "GET /favicon.ico HTTP/1.1" 404 135
| "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0)
| Gecko/20100101 Firefox/80.0"
| comonoid wrote:
| I've tried https://beta.shodan.io/host/127.0.0.1 , it returns
| 404. Obviously, it is not true!
| withinrafael wrote:
| For those a bit confused: This subdomain redirects to
| https://beta.shodan.io/host/$YOUR_REMOTE_ADDR. This runs a search
| against their _existing_ database of information. Shodan has an
| army of bots that crawl the entire Internet and stores what it
| finds along the way. Folks generally pay Shodan for access to
| these notes.
|
| The site returns various HTTP error codes based on the results of
| that lookup, or shows a fancier page with open ports and other
| information it has on that IP address. (Example:
| https://beta.shodan.io/host/1.1.1.1)
|
| There is no active scan occurring here. (But you could be hinting
| to Shodan that these particular IPs are valid though!)
| achillean wrote:
| We don't retain web logs and the way users interact with Shodan
| doesn't change the way Shodan crawls the Internet. I.e. using
| the website/ API doesn't change how we look at the Internet.
| RL_Quine wrote:
| If you want active scanning, http://portscan.me/ will do a
| reverse nmap port scan of whatever requests it.
| vit05 wrote:
| "Access Denied! Your address is blacklisted. More information
| about this error may be available in the server error log."
|
| What should I do?
| simonklitj wrote:
| Got the same message.
| mcny wrote:
| here's a portscan.me if you are getting forbidden and just
| want to see what a result looks like Scanning
| {ip} for interesting ports on 2020-09-22 20:14:00 CEST...
| This may take a short while. Starting Nmap 5.21 (
| http://nmap.org ) at 2020-09-22 20:14 UTC Initiating
| Ping Scan at 20:14 Scanning {ip} [2 ports] Stats:
| 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing Ping
| Scan Ping Scan Timing: About 50.00% done; ETC: 20:14
| (0:00:01 remaining) Stats: 0:00:02 elapsed; 0 hosts
| completed (0 up), 1 undergoing Ping Scan Ping Scan
| Timing: About 50.00% done; ETC: 20:14 (0:00:02 remaining)
| Stats: 0:00:03 elapsed; 0 hosts completed (0 up), 1
| undergoing Ping Scan Ping Scan Timing: About 99.99%
| done; ETC: 20:14 (0:00:00 remaining) Completed Ping
| Scan at 20:14, 3.00s elapsed (1 total hosts) Nmap scan
| report for {ip} [host down, received no-response] Read
| data files from: /usr/share/nmap Note: Host seems down.
| If it is really up, but blocking our ping probes, try -PN
| Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
| The scan was performed from 89.186.169.101. Best regards
| gigahost.dk
|
| --
|
| OP's link archived from archive.fo
|
| https://archive.fo/72cS5
| tzs wrote:
| I'm still confused, because "curl -D -
| https://beta.shodan.io/host/$ALIP" where $ALIP is the IP
| address of my Amazon Lightsail instance, gives different
| results depending on where I do it from.
|
| If I do that query from home, it correctly tells me that 22,
| 80, and 443 are open. If I do that query from the Lightsail
| instance itself, I get 404. I also get 404 if I do it from
| work.
| nash wrote:
| Same IP? Don't forget your instance has different public and
| private IPs.
| achillean wrote:
| Are you sure it's a 404 and not a 403? We block access to the
| website from the cloud so you're probably getting blocked.
| tzs wrote:
| Oops...you are right.
| [deleted]
| withinrafael wrote:
| Strange! Maybe they have Amazon compute resources on a list
| and respond differently to avoid abuse? If they don't pop in
| here, maybe ping @shodanhq on Twitter.
| xoa wrote:
| > _(I wouldn 't rule out that you may be hinting to Shodan that
| these particular IPs are valid though!)_
|
| For those of us on IPv4, eh. Only 4 billion addresses, and with
| a lot of that itself tied up in various large /8s to a few
| specific organizations many of which can be assumed to be
| beyond casual level, it's just no longer a real haul to scan
| everything all the time at a basic level. Plus for those of us
| browsing from our main address we're leaving a trail all over
| the web anyway through a host of poorly secured servers. So I
| while I don't disagree it's worth thinking about information
| leaks and honey pots and the like whenever dealing with infosec
| in any way, in this specific case I also don't think this
| reveals anything of significant value.
| nycdatasci wrote:
| Supporting your point: With zmap (https://zmap.io/) you can
| scan IPv4 in 45 mins using a 1 Gb pipe, or in 5 mins on a 10
| Gb pipe.
| H8crilA wrote:
| Wait, why does a port scan need to transfer > 30 GiB of
| data?
|
| Or do you mean all of IPv4?
| JustFinishedBSG wrote:
| All of the internet yes
| Fnoord wrote:
| Full UDP range?
| reidjs wrote:
| I have quite a few ports open on my webserver (22, 8080, 80, 443,
| 444, 81), but the thing is I use them regularly for SSH, serving
| a website, etc. Is it bad that they are getting picked up by this
| service?
| userbinator wrote:
| If you know that they're open, that's different from thinking
| you don't have any open ports when you do, which is probably
| what this is supposed to tell you about.
| deathgrips wrote:
| It's only bad if the services running on those ports are not
| secured.
| jlgaddis wrote:
| > _Is it bad that they are getting picked up by this service?_
|
| Only if you are relying on no one knowing they're open as a
| "security feature" (a.k.a. "security by obscurity").
|
| If you aren't worried about anyone "finding" them because
| you've taken the time to secure the services then there's
| absolutely no reason at all to care that this exists.
| [deleted]
| donatj wrote:
| It's interesting that they didn't find the port 22 nor 80 or 443
| I'm exposing among others, I just get a 404.
| nothasan wrote:
| There is also Censys[0] and ZoomEye[1] which offer a similar
| service. From my experience these two offer more/better data.
|
| [0] https://censys.io/ [1] https://www.zoomeye.org/
| Santosh83 wrote:
| I had Caddy server running and port 80 was open, but the scanner
| also said port 53 was open. After quitting Caddy apparently both
| ports are now closed. Any reason for Caddy to open port 53?
| geocrasher wrote:
| 53 is DNS, so it is likely listening on port 53. Perhaps it
| runs a local DNS cache, but its firewall allows outside
| traffic. It might even try to provide DNS for ACME DCV.
| kej wrote:
| Are you using a DNS plugin with Caddy?
| Santosh83 wrote:
| Yes I think I may have opted to include the cloudflare-dns
| plugin when downloading Caddy. Perhaps it opens port 53 even
| though it isn't actually being used? Or perhaps Caddy's
| automatic HTTPS provisioning logic does this...
| jagger27 wrote:
| Just Minecraft. Cool to see how much it knows about the Minecraft
| server protocol. It even marked how many players were on when it
| was scanned.
| Abishek_Muthian wrote:
| Does it require login to force an update? I have a dynamic IP and
| it shows a open port (possible router management) of another user
| updated couple of weeks back. I understand that the cached
| results provide faster results, but does it make sense to cache
| results for dynamic IPs?
| ficklepickle wrote:
| This is timely. I just found out, last night, that my shitty ISP
| router was exposing the management interface to the whole
| internet. It was dumb luck that I stumbled across it. I had to
| port forward 80/443 to nowhere in order to make it stop. Time to
| get a dumb modem.
| slicktux wrote:
| May I recommend GRC.com's shields up as an alternative...
| Cyphase wrote:
| https://www.grc.com/shieldsup
| Fnoord wrote:
| WireGuard default UDP port is open on my home router. This
| website says 404. Why? Because the scans don't scan full UDP port
| range, is my guess. I trust this with regards to TCP.
| gnyman wrote:
| Yeah, It does not scan all ports, just a select thousand or so,
| and 51820 does not seem to be among them
| sjy wrote:
| "One design goal of WireGuard is to avoid storing any state
| prior to authentication and to not send any responses to
| unauthenticated packets. With no state stored for
| unauthenticated packets, and with no response generated,
| WireGuard is invisible to illegitimate peers and network
| scanners." https://www.wireguard.com/papers/wireguard.pdf
| jszymborski wrote:
| Just changed ISP/router and noticed that 7547 is open (which
| hasn't been the case in the past). Looks like ISPs use this for
| remote management?
| CTrox wrote:
| Noticed the same thing, that port is mostly associated with
| [CWMP](https://en.wikipedia.org/wiki/TR-069).
| kube-system wrote:
| Alternatively, if you see a 404 page, and you have ports open,
| your IP block lists are working correctly :)
| myself248 wrote:
| GRC's ShieldsUp! has been operating since fall of 1999, in case
| anyone else was wondering.
| Cyphase wrote:
| https://www.grc.com/shieldsup
| [deleted]
| teekert wrote:
| Wow it tells me how many people are on my minecraft server. I
| couldn't even find that easily (didn't look too close yet).
| Anyway, a bit worrying because I leave the whitelist off when my
| sons friends want to join.
| nxpnsv wrote:
| Wonder if I could let my server ports change regularly in a
| pseudo random sequence...
| andrewveitch wrote:
| You are unexposed in Scotland. Unlike me in my kilt.
| cjbprime wrote:
| Bonus challenge: Use WebRTC to find the internal IP of the
| connecting device, then use DNS rebinding to port scan the device
| itself and report those open ports :)
| xmly wrote:
| 500
| bognition wrote:
| I collaborated with Shodan at a previous job and loved working
| with them. They've built a really solid product that has come a
| long way. It's a great story of a side project evolving into a
| massively important resource.
| igama wrote:
| The free page securityrating.io from BinaryEdge also provides
| that information.
|
| For more complex queries about what is being exposed on IPs
| worldwide (IPV4 and IPV6) You can register a free account on
| app.binaryedge.io.
|
| (Disclaimer: I'm part of the BinaryEdge team)
| t0mbstone wrote:
| Actually, ideally you wouldn't even see a 404 page. Your web
| browser should just time out when attempting to find the url.
|
| If you are seeing a 404 page, that means that a web browser is
| listening on port 80 and received the request and is responding
| with a 404 page. That's not a good thing!
| MaxBarraclough wrote:
| It's referring to what happens if you go to
| https://me.shodan.io/
| merlinscholz wrote:
| That's not how it works. It requests the last port scan results
| for your IP from shodan's servers.
| everfree wrote:
| Your browser isn't connecting to your own IP, it's connecting
| to a shodan.io server which looks up your IP in their own
| database.
|
| Of course Shodan's web servers are always listening on port 80,
| just like with all websites.
| Apofis wrote:
| Can anyone tell me why server_tokens would be on by default in
| Nginx? Why would it be a standard default practice to disclose
| what version your goddamn web server is?
|
| Why is SSHD disclosing its goddamn version too?!
| tprynn wrote:
| By itself, disclosing version information provides little to no
| security consequence. If you are using an outdated, vulnerable
| server version, you will be exploitable regardless of whether
| you present a version number in the vast majority of cases.
| Attackers don't care whether you present a specific version
| number before attempting exploits in most cases (unless the
| exploit has a risk of crashing the service). And if you do have
| an exploit which depends on a specific version, most likely you
| can figure out the version without a version number anyway.
| Hiding version numbers probably does more work to hurt
| defenders (who want to easily scan and identify outdated
| software without attempting exploits).
| garblegarble wrote:
| It's always occurred to me that you'd use evolving version
| data from an aggregator like shodan to build a picture of how
| up-to-date people keep their software, that way when a new
| vulnerability hits you have a prioritised list of IPs that
| haven't updated in a timely manner in the past, rather than
| wasting cycles trying to exploit auto-updating hosts
| silverfox17 wrote:
| Pretty much every service by default discloses version numbers.
| ipnon wrote:
| A creepy name for a startup
|
| https://en.wikipedia.org/wiki/SHODAN
| spapas82 wrote:
| Shodan (from System Shock) was one of the best villains in the
| history of computer games!
| achillean wrote:
| One of my favorite games and I picked the name as an homage
| to my favorite game where you play a hacker. And to be fair,
| I didn't think that Shodan would become as it has when I
| first launched the website.
| tzs wrote:
| How is it so fast?
|
| When I do it from home I immediately get a 404. It was so fast I
| assumed that the site got overwhelmed by people trying it and it
| was down.
|
| But then I tried it but changing the URL on the 404 from
| https://beta.shodan.io/host/<home_ip> to
| https://beta.shodan.io/host/<lightsail_ip>, giving the IP of my
| Amazon Lightsail instance. It almost instantly told me 22, 80,
| and 443 were open.
|
| Edit: ...but if I try either of those actually from my Lightsail
| instance, they both get 404!?
| igama wrote:
| Check the timestamp of the results ;)
| can16358p wrote:
| It was extremely fast for me too. But I'm behind a CGNAT, which
| explains nothing being found and (if it's caching) why it's so
| fast.
| everfree wrote:
| The results are cached:
|
| > Shodan has servers located around the world that crawl the
| Internet 24/7 to provide the latest Internet intelligence.
| riffic wrote:
| By "the Internet" they mean the IPv4 space, right? There are
| _only_ 3.681 billion public IPv4 addresses so it 's a trivial
| problem to scan them all at a suitably parallel scale.
|
| the v6 address space, on the other hand...
| _salmon wrote:
| They're working on scanning IPv6 as well. They got in
| trouble a few years back after they were observed
| harvesting IPv6 addresses by running a public NTP
| server[1].
|
| [1] https://arstechnica.com/information-
| technology/2016/02/using...
| [deleted]
| gowld wrote:
| Hmm, maybe security via obscurity is a bad idea after
| all.
| ReverseCold wrote:
| You can probably get a pretty good idea of the v6 space by
| checking domain name registrations, certificate
| transparency, logging requests from v6 addresses, etc.
| nobody9999 wrote:
| I guess this can be useful if you don't know what's going on with
| your internet connection.
|
| Although the fact that the "results" are cached arguably makes
| this less useful than GRC and other sites that will actively scan
| your IP (range).
|
| And even though they provide a timestamp for the reported
| information (different for different ports by 24 hours or so, at
| least for me), I'd personally prefer an active scan over a
| database lookup if I want to know what's going on.
|
| I'll go further and say that while the information provided is
| absolutely useful, depending on the services you're exposing to
| the Internet, there are other tools that will give you much more
| useful, actionable information.
|
| There are rafts of online tools to check for vulnerabilities in
| specific services. Notably:
|
| Mozilla Observatory https://observatory.mozilla.org/
|
| Qualys Labs SSL test https://www.ssllabs.com/ssltest/
|
| MX Toolbox Super Tool https://mxtoolbox.com/SuperTool.aspx
|
| And many others, including the GRC Shields Up! port scanner
| mentioned in other comments in this thread:
| https://www.grc.com/shieldsup
|
| As such, unless you're going to use Shodan services, or want to
| know what information they have about you, it seems like there
| are other, better tools out there.
|
| What's more there are tons of tools that you can run _locally_
| that will provide much more information about the devices on your
| internal network, since you can run them inside your firewall.
|
| N.B.: I am emphatically _not_ discouraging others from using
| shodan.io, nor am I claiming that it 's bad. Rather, I'm
| expressing my own opinion as to how I prefer to identify and test
| my internet-facing attack surface.
| gowld wrote:
| Mozilla's "include my site in the public results" (including
| vulnerabilities) by default doesn't seem very privacy
| respecting.
| nobody9999 wrote:
| >Mozilla's "include my site in the public results" (including
| vulnerabilities) by default doesn't seem very privacy
| respecting.
|
| Then don't use it.
|
| Or check the click-box. Which is what I did.
|
| That said, your Internet-facing IP address isn't private. In
| fact, it has to be public in order to route traffic to/from
| you.
|
| I'd note that the shodan.io site had information about my IP
| address, even though I'd never used it or requested a scan.
| What's more, I'm included in that database without _any_
| opportunity to opt out as the Mozilla site provides.
|
| And just to be clear, I have no connection to Mozilla (or any
| of the other sites I mentioned). In fact, I'd never looked at
| Mozilla Observatory before I started poking around for the
| comment to which you replied and included it _only_ because
| it had an SSH scanner.
| silverfox17 wrote:
| It's not generally used to assess your own attack surface -
| it's mainly used to assess the attack surface of others using
| their search syntax. It's a Google of vulnerable systems.
| achillean wrote:
| Actually monitoring your own attack surface is the most
| common reason companies purchase a subscription. See:
| https://monitor.shodan.io
___________________________________________________________________
(page generated 2020-09-22 23:00 UTC)