屏蔽 Censys 扫描器, 及设置仅允许 Cloudflare 回源

此文仅适合 Nginx 使用者.

Censys 是一个网络搜索引擎, 可以根据 IP, 端口, 以及域名搜索互联网上的服务器, 此项目的初衷是协助网络管理员发现并防御威胁, 并协助安全合规与研究, 但是与此同时, 这也意味着任何「暴露到公网」的项目都会被扫描到, 他人可以利用此引擎搜索到你的源站服务器并绕过 CDN / WAF 进行攻击. 这篇博客将介绍如何屏蔽 Censys 的扫描.


添加一个更简单的 ufw 操作方法: Link


获取 Censys Scanner 所使用的 IP 范围

首先, 我们需要知道 Censys 使用哪些 IP 扫描互联网内容, 根据其官网披露的信息, 我们可以找到其所使用的 IP CIDR 为:

162.142.125.0/24
167.94.138.0/24
167.94.145.0/24
167.94.146.0/24
167.248.133.0/24
2602:80d:1000:b0cc:e::/80
2620:96:e000:b0cc:e::/80

如果担心这个信息不是最新的, 也可以去查询 Censys 的 ASN 下宣告的 IP, 其使用的 AS 为

将 IP CIDR 导入配置文件

/etc/nginx/conf/ 下新建文件 censys-ips.conf, 写入以下内容

注: 请以 Nginx 的实际安装位置为准, 例如如果使用宝塔面板, 配置文件则应放置在 /www/server/nginx/conf/

# Censys IP CIDR
# https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Data-Collection

# IPv4
deny 162.142.125.0/24;
deny 167.94.138.0/24;
deny 167.94.145.0/24;
deny 167.94.146.0/24;
deny 167.248.133.0/24;

# IPv6
deny 2602:80d:1000:b0cc:e::/80;
deny 2620:96:e000:b0cc:e::/80;

屏蔽 Censys

然后打开所要保护网站的 Nginx, 在 server 区块下添加以下内容

    #屏蔽 Censys
    include /etc/nginx/conf/censys-ips.conf;

例:

随后保存文件并且重载 Nginx

sudo systemctl reload nginx

(可选) 仅允许 Cloudflare 回源

如果你使用 Cloudflare 的 CDN, 你还可以选择使用相同方法仅允许 Cloudflare 回源, 禁止直接访问源站.

/etc/nginx/conf/ 下新建文件 cloudflare-ips.conf, 写入以下内容

# https://www.cloudflare.com/ips
# IPv4
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;

# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

然后在站点的 Nginx 配置文件 Server 区块中加入以下内容

#只允许 Cloudflare 回源
include /etc/nginx/conf/cloudflare-ips.conf;
deny all;

如果将这两者结合:

#屏蔽 Censys
include /etc/nginx/conf/censys-ips.conf;
#只允许 Cloudflare 回源
include /etc/nginx/conf/cloudflare-ips.conf;
deny all;

此外, 如果你的服务器上所有站点都经过 Cloudflare CDN, 那你也可以直接在 Nginx 配置中写入以上内容, 这样服务器上的所有站点都只会接受 Cloudflare CDN 节点的入站流量, 且屏蔽 Censys.


09/09/2023 Update:

添加一个更简单的办法, 如果你使用 UFW, 那么可以:

sudo ufw deny from 162.142.125.0/24
sudo ufw deny from 167.94.138.0/24
sudo ufw deny from 167.94.145.0/24
sudo ufw deny from 167.94.146.0/24
sudo ufw deny from 167.248.133.0/24
sudo ufw deny from 2602:80d:1000::/48
sudo ufw deny from 2620:96:e000::/48

然后

sudo ufw enable

此外, 如果你想同时拉黑其他的常见扫描器, 例如 Merit, IPIP.net, 可以使用下面这段命令一起拉黑掉

sudo ufw deny from 162.142.125.0/24
sudo ufw deny from 167.94.138.0/24
sudo ufw deny from 167.94.145.0/24
sudo ufw deny from 167.94.146.0/24
sudo ufw deny from 167.248.133.0/24
sudo ufw deny from 2602:80d:1000::/48
sudo ufw deny from 2620:96:e000::/48
sudo ufw deny from 192.41.230.0/23
sudo ufw deny from 192.41.236.0/23
sudo ufw deny from 23.135.208.0/24
sudo ufw deny from 35.0.0.0/10
sudo ufw deny from 35.64.0.0/14
sudo ufw deny from 35.68.0.0/15
sudo ufw deny from 35.70.0.0/16
sudo ufw deny from 35.71.0.0/18
sudo ufw deny from 66.219.112.0/20
sudo ufw deny from 74.115.236.0/23
sudo ufw deny from 141.210.0.0/16
sudo ufw deny from 141.217.0.0/16
sudo ufw deny from 141.218.0.0/16
sudo ufw deny from 148.61.0.0/16
sudo ufw deny from 158.80.0.0/16
sudo ufw deny from 163.253.36.0/22
sudo ufw deny from 164.76.0.0/16
sudo ufw deny from 192.35.168.0/23
sudo ufw deny from 192.41.229.0/24
sudo ufw deny from 192.41.232.0/22
sudo ufw deny from 192.88.242.0/24
sudo ufw deny from 192.101.250.0/24
sudo ufw deny from 192.122.182.0/23
sudo ufw deny from 192.122.184.0/21
sudo ufw deny from 192.122.200.0/24
sudo ufw deny from 192.138.137.0/24
sudo ufw deny from 192.160.192.0/24
sudo ufw deny from 192.160.204.0/24
sudo ufw deny from 192.188.100.0/24
sudo ufw deny from 192.203.195.0/24
sudo ufw deny from 192.245.252.0/24
sudo ufw deny from 192.245.254.0/24
sudo ufw deny from 198.17.130.0/23
sudo ufw deny from 198.17.132.0/23
sudo ufw deny from 198.17.134.0/24
sudo ufw deny from 198.108.0.0/14
sudo ufw deny from 204.38.0.0/15
sudo ufw deny from 204.106.17.0/24
sudo ufw deny from 204.106.28.0/24
sudo ufw deny from 204.106.31.0/24
sudo ufw deny from 206.201.157.0/24
sudo ufw deny from 207.72.0.0/14
sudo ufw deny from 208.68.24.0/22
sudo ufw deny from 139.162.99.243/32
sudo ufw deny from 139.162.79.87/32
sudo ufw deny from 172.105.237.142/32
sudo ufw deny from 139.162.65.76/32
sudo ufw deny from 139.162.113.212/32
sudo ufw deny from 139.162.77.133/32
sudo ufw deny from 172.104.84.122/32
sudo ufw deny from 50.116.17.183/32
sudo ufw deny from 172.104.113.6/32
sudo ufw deny from 139.162.212.214/32
sudo ufw deny from 139.162.69.98/32
sudo ufw deny from 23.92.31.220/32
sudo ufw deny from 172.104.96.196/32
sudo ufw deny from 172.105.196.199/32
sudo ufw deny from 172.105.224.72/32
sudo ufw deny from 172.104.77.187/32
sudo ufw deny from 172.105.192.195/32
sudo ufw deny from 139.162.118.251/32
sudo ufw deny from 139.162.189.5/32
sudo ufw deny from 172.104.100.117/32
sudo ufw deny from 172.104.116.36/32
sudo ufw deny from 172.104.65.226/32
sudo ufw deny from 139.162.99.58/32
sudo ufw deny from 172.104.94.121/32
sudo ufw deny from 139.162.72.191/32
sudo ufw deny from 172.104.112.244/32
sudo ufw deny from 172.104.76.217/32
sudo ufw deny from 172.105.208.132/32
sudo ufw deny from 139.162.108.237/32
sudo ufw deny from 139.162.75.99/32
sudo ufw deny from 45.33.116.193/32
sudo ufw deny from 172.105.197.151/32
sudo ufw deny from 139.162.116.230/32
sudo ufw deny from 139.162.108.129/32
sudo ufw deny from 172.105.217.71/32
sudo ufw deny from 139.162.121.251/32
sudo ufw deny from 139.162.126.103/32
sudo ufw deny from 139.162.110.42/32
sudo ufw deny from 139.162.122.110/32
sudo ufw deny from 172.104.105.194/32
sudo ufw deny from 139.162.99.217/32
sudo ufw deny from 139.162.113.204/32
sudo ufw deny from 139.162.111.98/32
sudo ufw deny from 172.105.218.213/32
sudo ufw deny from 172.105.239.183/32
sudo ufw deny from 139.162.111.138/32
sudo ufw deny from 139.162.117.40/32
sudo ufw deny from 139.162.116.22/32
sudo ufw deny from 45.79.162.88/32
sudo ufw deny from 106.187.54.226/32
sudo ufw deny from 172.105.229.64/32
sudo ufw deny from 139.162.80.77/32
sudo ufw deny from 192.35.168.0/23
sudo ufw deny from 141.212.121.0/24
sudo ufw deny from 141.212.122.0/24
sudo ufw deny from 141.212.123.0/24
sudo ufw deny from 198.108.66.0/23
sudo ufw enable
ufw status
暂无评论

发送评论 编辑评论


|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇