An API for ssh_scan (https://github.com/mozilla/ssh_scan) and the backend API service for the Mozilla SSH Observatory (https://observatory.mozilla.org/)
32
stars
8
forks
source link
Should we allow scanning localhost/127/RFC1918? #54
I was thinking this would be a no-brainer, but then again, I kind of want to scan localhost. I suppose maybe this could be just adding features that describe what can/cannot be scanned, in case someone runs this on their edge and wants to prevent internal scanning from external sources.
I suppose one simple solution would be to allow the ability to restrict RFC1918 ranges in the API config and reject any submission requests for that. This could be just a set of CIDRs or individual addrs that we check before we scan.
It's currently not an issue as we host the service in a VPS, but would be more relevant if we self-hosted.
I was thinking this would be a no-brainer, but then again, I kind of want to scan localhost. I suppose maybe this could be just adding features that describe what can/cannot be scanned, in case someone runs this on their edge and wants to prevent internal scanning from external sources.
I suppose one simple solution would be to allow the ability to restrict RFC1918 ranges in the API config and reject any submission requests for that. This could be just a set of CIDRs or individual addrs that we check before we scan.
It's currently not an issue as we host the service in a VPS, but would be more relevant if we self-hosted.