https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93393#M43846 <P>We are aslo observing the simmilar kind of traffic triggering from the IP's listed in that article.</P><P>&nbsp;</P><P>blocking individual IP is not good idea but if there is any way that we can block IP's thase resolves to *<SPAN>shodan.io will be best approach.</SPAN></P><P>&nbsp;</P><P>Im not sure how we can do this <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P> Thu, 30 Jun 2016 10:50:05 GMT KotreshaMC 2016-06-30T10:50:05Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93379#M43835 <P>Hello,</P><P>&nbsp;</P><P>Anyone have successfully block scanning from shodan.io? &nbsp; <A href="http://www.shodan.io" target="_blank">www.shodan.io</A> &nbsp;?</P><P>&nbsp;</P><P>It looks like Checkpoint has written specific signature to block shodan scanning, &nbsp;<A href="http://blog.checkpoint.com/2016/01/04/check-point-threat-alert-shodan/" target="_blank">http://blog.checkpoint.com/2016/01/04/check-point-threat-alert-shodan/</A></P><P>&nbsp;</P><P>-E</P> Thu, 30 Jun 2016 01:21:07 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93379#M43835 nextgenhappines 2016-06-30T01:21:07Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93393#M43846 <P>We are aslo observing the simmilar kind of traffic triggering from the IP's listed in that article.</P><P>&nbsp;</P><P>blocking individual IP is not good idea but if there is any way that we can block IP's thase resolves to *<SPAN>shodan.io will be best approach.</SPAN></P><P>&nbsp;</P><P>Im not sure how we can do this <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P> Thu, 30 Jun 2016 10:50:05 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93393#M43846 KotreshaMC 2016-06-30T10:50:05Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93394#M43847 <P>Why would you block scanning from Shodan only?</P><P>Set up a zone protection profile which will protect you from all scans. Furthermore make sure that your firewall policy only allows traffic to services which need to be visible from whole internet (web servers, mail server..). And those servers must be hardened in any case so nothing to fear there.</P><P>&nbsp;</P> Thu, 30 Jun 2016 11:07:11 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93394#M43847 santonic 2016-06-30T11:07:11Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93405#M43853 <P>Blocking ip may help initally, but I am not going to make it my day job to keep on monitoring if they decided to change ip or add another new scanner. &nbsp; &nbsp;I submit an app-id request to PAN for shodan.io scan.</P><P>&nbsp;</P><P>-E</P> Thu, 30 Jun 2016 14:29:46 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93405#M43853 nextgenhappines 2016-06-30T14:29:46Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93406#M43854 <P>Hi Santonic,</P><P>&nbsp;</P><P>Why not block these scanners? &nbsp;I already have zone protection profile configured, shodan is a very slow scanner, it will not get flag by ZP. &nbsp; &nbsp;Sometime you may have some servers that you are just need to open to anyone (with some exceptions). &nbsp;</P><P>&nbsp;</P><P>-E</P> Thu, 30 Jun 2016 14:32:14 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93406#M43854 nextgenhappines 2016-06-30T14:32:14Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93420#M43860 <P>Couldn't you just use URL Filtering to disable access to that domain? Wouldn't that be easier then worrying about what IP is accessing that traffic.</P> Thu, 30 Jun 2016 17:42:57 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93420#M43860 BPry 2016-06-30T17:42:57Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93450#M43864 It's inbound not outbound traffic. Fri, 01 Jul 2016 06:03:06 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93450#M43864 KotreshaMC 2016-07-01T06:03:06Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93452#M43865 <P>There is one another way i found,</P><P>we can create the objets with the FQDN provided in the article and create security policy for it &nbsp;(FQDN initially resolves at commit time. Entries are subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the entries are picked up at the refresh cycle) so this might helpful in blocking the IP that resolves to specified shodan domain.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Jul 2016 07:54:03 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/93452#M43865 KotreshaMC 2016-07-01T07:54:03Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/149280#M49760 <P>+Bump</P><P>&nbsp;</P><P>Does Palo have simlar IPS sigs as checkpoint?</P><P>&nbsp;</P><UL><LI>Shodan.io Internet Of Things Portal</LI><LI>Shodan Scanner ISAKMP Request</LI><LI>Shodan Scanner SIP Request<BR />Shodan Scanner BACNET Request</LI><LI>Shodan Scanner GTP Request</LI><LI>Shodan Scanner ENIP Request</LI></UL><P>&nbsp;</P><P>I tried looking through Threat Vault but couldn't find anyting.</P> Fri, 24 Mar 2017 03:09:03 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/149280#M49760 Brandon_Wertz 2017-03-24T03:09:03Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/149307#M49771 <P>I don't exactly see why would there be need for shodan specific signatures.</P><P>&nbsp;</P><P>First of all make sure that all inbound traffic is blocked with firewall policy, except for servers snd services which need to be visible from all interenet (web servers, smtp, IPSEC...).</P><P>&nbsp;</P><P>Services which need to be visible to internet need to be hardened and secured. For these services Shodan is the least of your worries. You want them secured from hackers and malware, not just Shodan. So why specific signature for Shodan traffic? &nbsp;</P> Fri, 24 Mar 2017 06:56:20 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/149307#M49771 santonic 2017-03-24T06:56:20Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/308373#M80001 <P>Maybe because the customer asked for it?&nbsp;</P> Tue, 28 Jan 2020 21:42:42 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/308373#M80001 j04nMan 2020-01-28T21:42:42Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/556656#M112989 <P>correction there: FQDN will refresh in 30 seconds.<BR /><BR />I was hoping if we could use domain based EDL in source but that isn't working.<BR />Is there any way to get the most latest list of shodan.io subdomains/IP addresses</P> Wed, 06 Sep 2023 05:07:15 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/556656#M112989 UtkarshB 2023-09-06T05:07:15Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/556658#M112990 <P>Did that work out!<BR /><BR />Is there any app-ID yet for shodan.io<BR />I don't see</P> Wed, 06 Sep 2023 05:13:37 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/556658#M112990 UtkarshB 2023-09-06T05:13:37Z https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/588495#M117328 <P>If you block the known bad actors list, shodan is on that list.</P> Fri, 31 May 2024 12:32:46 GMT https://live.paloaltonetworks.com/t5/general-topics/block-scanning-from-shodan/m-p/588495#M117328 m.brewster 2024-05-31T12:32:46Z