Old news? / Off topic? / But still worth passing on IMHO...

PhilHornby

PhilHornby

Senior Member
I was browsing the firewall log of my router, and noticed a failed attempt to access my VPN.

I followed up the IP address it came from (198.20.70.112) and apparently, it is something called http://shodan.io (198.20.64.0/18 is the range if you want to block it...)

I'd never heard of it, even though it's been around since 2013; in a nutshell, it's a search engine, "that lets the user find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters. .... This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server."

You can find out what it currently knows about you, without creating an account - just modify the following search to use your IP address. https://www.shodan.io/host/xx.xx.xx.xx

In my case, it knew far more about my configuration than I consider healthy :(

So, if you're considering connecting your latest Picaxe project directly to the Internet, with maybe just a non-standard IP port as protection, I would strongly suggest that you don't!!

In my case, the stable door is now securely locked... and I've sent out a search party to look for the horse :eek:


Some interesting background reading: https://www.mikecarthy.com/offensive-security/shodan-worlds-dangerous-search-engine

and

http://www.zdnet.com/article/shodan-the-iot-search-engine-which-shows-us-sleeping-kids-and-how-we-throw-away-our-privacy/

 
Last edited by a moderator:
Pongo

Pongo

Senior Member
You may want to edit out that 188... IP address, or someone is going to have an interesting logfile :)
 
J

Jeremy Harris

Senior Member
There is a staggering amount of snooping going on now, it's become normal business on the web.

I was looking at traffic on my connection a few weeks ago and was a bit puzzled by all the connections to odd servers, even when the machine wasn't even running a browser or email client (I was playing around with TCPView, a utility that let's you see all the connections your machine is making - if it's a Windows machine). This was on my old desktop machine, which is the only machine running a version of Windows (Win 7) that I now have (all the others are now, as of yesterday, running Mint 18 - and very good it is too, nicer and faster than Mint 17.3 IMHO).

I did a bit of digging around, and it seems that some of the Windows 7 "updates" rolled out recently included the same "telemetry" as Windows 10 uses to make money. In essence, one or more updates had installed a mass of spyware (for want of a better description) that was passing loads of information on everything I was doing on the machine back to a number of Microsoft, and Microsoft related, servers. Some were clearly for targeted advertising, some were just gathering data on what was installed on my machine and how I was using it. Not quite up to the level of snooping in Win 10 (where by installing it you grant the right to Microsoft to look at every single file on your PC, remotely, which cannot be permanently turned off by the user) but intrusive nevertheless.

I found the updates that had installed the "telemetry" stuff and removed them and their registry entries, then added a long list of Microsoft, and Microsoft-related, servers to the blocked sites list in my router. Funny old thing, but after doing this my 5 year old Win 7 machine ran a hell of a lot faster, with none of the long periods where the hard disk was churning away for no reason (which was why I was looking at what was going on with TCPView in the first place). I found this article which describes what Microsoft have done, and it applies to Win 7, 8 and 8.1 : http://superuser.com/questions/972501/how-to-stop-microsoft-from-gathering-telemetry-data-from-windows-7-8-and-8-1
 
E

eggdweather

Senior Member
It's quite handy top validate which ports your site has open (or responds to), mine does exactly what I thought it should do, the web server and port 443.

It can be disconcerting to read log files, mine has 1000's of entries showing systems trying every conceivable way I have ever seen to login in to my server, usually there are lists of common files and methods as each is tried in-turn, clear probing. You can obtain a list of the errant IP addresses to block, but it needs constant update and for me the overhead is too great, I now rely on the security settings of Apache to defeat all these attempts and so far it's works OK - to my knowledge!
 
J

Jeremy Harris

Senior Member
JimPerry said:
Use Shields UP for free at www.grc.com :eek:
Click to expand...
Thanks for that link, it's very useful. Up until now I've been asking a friend, part of whose job is penetration testing very, very secure networks to do a quick check to see if there were any vulnerabilities that I hadn't closed down. That "Shields Up!" check confirmed that everything was locked down, and is far more convenient than me asking a favour!

FWIW I have spent a lot of time locking down things, every single one of them related to Windows. I've yet to see a single issue with any of the Linux machines, or my Linux home server, whereas recently my old version of Windows 7 has been made more vulnerable, and had data telemetry deliberately added without my consent, as a part of Microsoft's "update" process. I will admit to being more than a little surprised at how much data was being passed to Microsoft, or Microsoft-related, servers without my express consent or knowledge.

I expected Android to do this, as that's Google's published business model, give away the operating system free but collect lots of data from the user to pay for it. I rooted my Android tablet and installed a "Google-free" open source version, which runs a fair bit faster and offers just the same functionality, but without the Google Play Store or Google Maps (but there are very easy and safe ways around not having the Play Store and there is an Open Mapping Project Open Source map app that's a lot better than Google Maps). I knew that Microsoft had switched to the same business model with Windows 10; offer the OS for free (at least initially) but make money from all the user data it collects. I had no idea that Microsoft had, by the back door, added the same sort of "telemetry" to Windows 7, 8 and 8.1, though. Finding it was a bit of a surprise!
 
PhilHornby

PhilHornby

Senior Member
IOT...

JimPerry said:
Use Shields UP for free at www.grc.com :eek:
Click to expand...
(With respect), this misses the point I'm trying to make...

I run VPN/Web/DNS & Email servers on my home Internet connection. They are all 'secured', using their built-in functionality to the best of my ability. They are all designed to be publically accessible, and so you should expect and be prepared for attacks on them.

The problems start, when you start relying on "security through obscurity", for your other (IOT) equipment...
...as in, who is going to know or care, that the "rabbit webcam" is available on port 93, or the Heating system is on port 15?...

Shodan.io is not only systematically probing - which anyone could do, if they had the inclination - it's collating its results and making them available in easily queryable form.

Since no-one has ported GRC to Picaxe or ESP8266, that is not going to help!

Reading through that "Mike Carthy blog", reveals that a researcher gained access to just the sort of things that I've seen contributors here build (garage door openers, water heaters etc.).

My advice (FWIW), is to put such systems behind a (modern) VPN, rather than just trying to hide them on an unusual IP port. (And use your firewall to prevent Shodan.io poking around to discover that you've got a VPN!)
 
Last edited:
fernando_g

fernando_g

Senior Member
PhilHornby said:
My advice (FWIW), is to put such systems behind a (modern) VPN, rather than just trying to hide them on an unusual IP port. (And use your firewall to prevent Shodan.io poking around to discover that you've got a VPN!)
Click to expand...
For us, the non software gurus in this forum......what can we do? What is a modern VPN? Is that something one sets up on the router?
 
Pongo

Pongo

Senior Member
Hemi345 said:
More thank likely, that means: "Thank you for using our service. We didn't find anything related to the IP address you specified but we'll be sure to interrogate it fully in our next round of scans." :eek: :p
Click to expand...
That's an error message, not an "all clear". The shodan server should return a page for any correctly formatted IP address, so most likely there was an error in the IP.
 
neiltechspec

neiltechspec

Senior Member
Turn off UPNP and do any port forwarding manually.

That way you have control over open ports, not devices on you network, especially cheap & nasty chinese toys.

UPNP has caused me no end of grief over the past couple of years (in the CCTV arena).

Neil.
 
J

Jeremy Harris

Senior Member
fernando_g said:
For us, the non software gurus in this forum......what can we do? What is a modern VPN? Is that something one sets up on the router?
Click to expand...
A VPN is a Virtual Private Network (some stuff here on Wikipedia explains it better than I can: https://en.wikipedia.org/wiki/Virtual_private_network )

In this context setting one up for "Internet of Things" devices, like CCTV cameras, heating controls etc, means that you are keeping your network connected stuff private, even if the actual connections are using the internet (for example, using a phone app to look at your home CCTV cameras).

This afternoon I used Shodan to see if a friend of mine has secured his CCTV cameras. I have his IP address, as we've exchanged emails, and I know he runs a home-assembled system of wifi CCTV cameras connected to an always-on PC. It turns out that he'd not secured his system at all, and I could easily receive all the images from his cameras, including an internal one he has set up as a baby monitor! I've emailed him some stills I took with some advice that he changes all the default passwords (they were all set on user name "admin", password "admin".................) and secures his system pretty quickly.

The worrying thing is that he installed this around 18 months ago, so it's been wide open for all that time. Admittedly it's not very interesting looking at images of his drive, front door, etc, but nevertheless a burglar could, I'm sure, take advantage of the lack of security and exploit it, as well as have knowledge as to when he and his family had left the house. I'm waiting for his reply when he gets home from work, as I bet he's not going to be happy about it.
 
PhilHornby

PhilHornby

Senior Member
Pongo said:
That's an error message, not an "all clear". The shodan server should return a page for any correctly formatted IP address, so most likely there was an error in the IP.
Click to expand...
Tell Shodan.io, not me!

If you create an account, and issue a query like "net:1.2.3.4", it will return a "No results found" response. If you enter an IP address it knows about, e.g. "net:8.8.8.8", and then click "Details", it returns full results at the URL https://www.shodan.io/host/8.8.8.8

That's the format I gave in my first post - because it works without creating an account - but it's not the official way to use shodan.io ;just my little "hack" ;)
 
PhilHornby

PhilHornby

Senior Member
fernando_g said:
For us, the non software gurus in this forum......what can we do? What is a modern VPN? Is that something one sets up on the router?
Click to expand...
To add to Jeremy's answer, I used the phrase "modern" to mean not "PPTP", which though still offered by many devices, was comprehensively hacked many years ago.
 
J

Jeremy Harris

Senior Member
Just come off the phone to the chap I emailed earlier. Shocked is probably too mild a term to describe his reaction! Apparently he had no idea at all that the default settings for his IP cameras were inherently insecure and working over open ports that anyone could look at!

He's not had time to look at making everything secure and has now turned off the internal camera (the baby alarm one) until he gets the system configured properly. He's asked me to pass on his sincere thanks here for the Shodan link and highlighting that he had a major problem. He's also, apparently, had a row with his other half, who wanted him to get a "proper" security company to install the cameras, rather than let him buy them from ebay and install the system himself..................
 
H

Haku

Senior Member
Ahh so that explains a few things, thanks for the heads up.

I wondered how so many people have managed to find open (default or no password) webcams and post footage online of them trolling people through its internal speaker. Some funny videos on YouTube if you search for 'ip camera trolling', but also quite disturbing how open these things are from the get go and how ignorant a lot of people are about security regarding internet connected devices.
 
PhilHornby

PhilHornby

Senior Member
Jeremy Harris said:
Apparently he had no idea at all that the default settings for his IP cameras were inherently insecure and working over open ports that anyone could look at!
Click to expand...
So presumably, he'd not intended them to be globally accessible at all; the system used UPNP to provide access via the router by default?
 
J

Jeremy Harris

Senior Member
PhilHornby said:
So presumably, he'd not intended them to be globally accessible at all; the system used UPNP to provide access via the router by default?
Click to expand...
It seems so, yes. I remember when he bought the parts for the system he told me that all just worked without him needing to do any setting up, and that fits with it being UPNP. I know he bought the cameras etc from a Chinese Ebay seller (may have been Alibaba or similar) and they were pretty cheap.
 
J

Jeremy Harris

Senior Member
Haku said:
Ahh so that explains a few things, thanks for the heads up.

I wondered how so many people have managed to find open (default or no password) webcams and post footage online of them trolling people through its internal speaker. Some funny videos on YouTube if you search for 'ip camera trolling', but also quite disturbing how open these things are from the get go and how ignorant a lot of people are about security regarding internet connected devices.
Click to expand...
An awful lot of people just leave stuff on the default settings. Years ago, when I first installed a wifi system at home, I was a bit surprised to find that my laptop discovered several other wireless networks, most with the routers default name. One of them turned out to be the pub up the hill from me, and there was no protection at all on their wifi. I had a look and found that I could access everything on the PC they had connected, including their accounts (they were using Sage, IIRC). I walked up to the pub with my laptop, set it on the bar and showed the landlord that I could get into his accounts, edit or delete files, etc, as he'd no security at all on his network.

It turned out he hadn't installed it, a local "computer chap" had. I logged into his router and showed him how to set up a secure system (not that secure, because this was before WPA came along) and suggested he should change the admin login and password to something more secure than the defaults. I also suggested he turned off broadcasting, as that was how I'd spotted his network in the first place.

I doubt that he's alone in having done something like this; I rather suspect large numbers of people behave the same way. It's going to take time for the message that the internet is inherently untrustworthy, and always needs to be viewed as if there are hordes of rogues trying to steal your data or take over your machine. Sadly, very few people seem genuinely concerned about privacy and security, they will just install any old programme or application.
 
C

cravenhaven

Senior Member
A couple of years ago my mother was having some trouble with the voip configuration of their router and contacted their ISP. The ISP remotely connected to their local computer and then back into the router to fix their problem but also reset the login details to defaults. I was amazed to see this and listen to my mother tell me that the ISP engineer suggested they leave the login as he'd set it. I promptly changed it back to the previous config. It was particularly odd given that this particular ISP is well known in OZ for their highly technical support staff.
 
grim_reaper

grim_reaper

Senior Member
Jeremy; I was half expecting you to come back with a response from your friend along the lines of "don't worry - that's a decoy - those images are from some other bloke's house a few streets down..."

Guess I'm getting optimistic in my old age!
 
PhilHornby

PhilHornby

Senior Member
Another IP range to block...

PhilHornby said:
I followed up the IP address it came from (198.20.70.112) and apparently, it is something called http://shodan.io (198.20.64.0/18 is the range if you want to block it...)
Click to expand...
It paid me repeat visit today, but from a different IP address :mad:

The IP address it used was 71.6.158.166, which comes from the range 71.6.158.128 - 71.6.158.191 (click for whois details). Details for your firewall: 71.6.158.128 netmask 255.255.255.192 (i.e. /26)
 
Last edited:
PhilHornby

PhilHornby

Senior Member
Presumably they just have several different IP ranges allocated to them ... maybe they use servers in different data centres?

Actually, I'm not that upset that they returned - hopefully they will now update their database to say "nothing to see here, move along!"
 
hippy

hippy

Technical Support
Staff member
One would also presume that scanning can be delegated to any server which can run that scan, including Cloud hosts, which would likely have their own IP addresses.

It could also be that the scan isn't necessarily from the same people. Some ISPs commission third parties to scan their customers to ensure they aren't doing anything they shouldn't or to help keep them safe. And there are numerous people who want to see what is out there they can or could exploit.
 
You must log in or register to reply here.
Top