zmap
| zmap | iptables-autobanner | |
|---|---|---|
| 2 | 1 | |
| 5,718 | - | |
| 1.7% | - | |
| 8.1 | - | |
| about 16 hours ago | - | |
| C | ||
| Apache License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
zmap
-
What You Get After Running an SSH Honeypot for 30 Days
A lot of these seem to use zmap (https://github.com/zmap/zmap) or massscan (https://github.com/robertdavidgraham/masscan) for the initial scan.
Often with default parameters such as zmap setting ip id to 54321, having tcp initial window at 65535, having no SACK bit set and masscan with no SACK bit either, tcp initial window at 1024, tcp maximum segment size 1460 (which is strange to put below initial window size!), (older versions having fixed src port 61000 or 60000 from documentation examples and no MSS set), all of which are extremly uncommon in legitimate traffic and thus easily identified.
Even those so called "legitimate" scanners (emphasis on the "") seem to use these tools with little or no extra configuration.
-
Masscan: Scan the entire Internet in under 5 minutes
If masscan is of interest to you, be sure to check out zmap [0] as well. It can scan the entire IPv4 address space in around 45 minutes.
0: https://github.com/zmap/zmap
iptables-autobanner
-
What You Get After Running an SSH Honeypot for 30 Days
I have a utility that parses ssh failed attempts and creates iptables blocklists:
https://gitlab.com/mtekman/iptables-autobanner
For those just wanting the blocklist, here is a table of malicious IP addresses, with columns of: address, number of ports tried, number of usernames tried.
https://upaste.de/bgC
What are some alternatives?
masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
where-are-the-scanners - This tool visualizes the location of the scanners.
masscan_as_a_service - masscan as a service
self-hosted-mailserver - A set of ansible scripts, to set up fully functional, self-hosted mailserver
netscan - A fast TCP port scanner
referrer-spam-list - Community-contributed list of referrer spammers. Comment +1 in any issue or Pull request and the spammer will be added to the list!