Hi
From time to time, I get this warning message in HA:
Login attempt or request with invalid authentication from security.criminalip.com (89.248.168.138). (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36)
2fa is on, and it doesn’t look like they’ve succeeded getting in.
What is security.criminalip.com? Their “web site” says that they’re good guys and not much else.
Their IP changes as well. The last two times it’s been 93.174.93.76 and 89.248.168.138.
What’s going on? Should they be blocked, or is there anything else that needs to be done?
Helge
They provide another corporate email address for contact on the website that points to a security company AI Spera. Service seems similar to shodan.io, in that they build datasets of scanned data for reputation measurement etc. for sales targeted at the Asia Pacific market - sample at AI SPERA | 에이아이스페라
Unfortunately this is the nature of the beast - you could email their provided contact address for an opt-out.
My understanding is not as robots.txt is basically a polite request to not scan - there are a number of major security appliance providers (Checkpoint etc.) who attempt to block Shodan via definitions etc. without success.
In my day job I’ve had some success with requesting exclusion from scans but only white-hat services will do so obviously.
We get hit with no end of this type of scan periodically at work and it just clutters up the logs.
If this is the only scan appearing in your logs it may be worth requesting an exclusion if you have a fixed public IP rather than dynamic otherwise I’d personally just consider it static.
That said, the usual disclaimers apply in that I’ve not had to deal with it personally - I’m running via Nabu Casa at home and our work services have some heavyweight security appliances at the door and layered defences throughout the network.