Block scanning from shodan

Reply
Highlighted
L4 Transporter

Block scanning from shodan

Hello,

 

Anyone have successfully block scanning from shodan.io?   www.shodan.io  ?

 

It looks like Checkpoint has written specific signature to block shodan scanning,  http://blog.checkpoint.com/2016/01/04/check-point-threat-alert-shodan/

 

-E

Highlighted
L3 Networker

Re: Block scanning from shodan

We are aslo observing the simmilar kind of traffic triggering from the IP's listed in that article.

 

blocking individual IP is not good idea but if there is any way that we can block IP's thase resolves to *shodan.io will be best approach.

 

Im not sure how we can do this :( 

Kotresha
ACE
Highlighted
L5 Sessionator

Re: Block scanning from shodan

Why would you block scanning from Shodan only?

Set up a zone protection profile which will protect you from all scans. Furthermore make sure that your firewall policy only allows traffic to services which need to be visible from whole internet (web servers, mail server..). And those servers must be hardened in any case so nothing to fear there.

 

Highlighted
L4 Transporter

Re: Block scanning from shodan

Blocking ip may help initally, but I am not going to make it my day job to keep on monitoring if they decided to change ip or add another new scanner.    I submit an app-id request to PAN for shodan.io scan.

 

-E

Highlighted
L4 Transporter

Re: Block scanning from shodan

Hi Santonic,

 

Why not block these scanners?  I already have zone protection profile configured, shodan is a very slow scanner, it will not get flag by ZP.    Sometime you may have some servers that you are just need to open to anyone (with some exceptions).  

 

-E

Highlighted
L7 Applicator

Re: Block scanning from shodan

Couldn't you just use URL Filtering to disable access to that domain? Wouldn't that be easier then worrying about what IP is accessing that traffic.

Highlighted
L3 Networker

Re: Block scanning from shodan

It's inbound not outbound traffic.
Kotresha
ACE
Highlighted
L3 Networker

Re: Block scanning from shodan

There is one another way i found,

we can create the objets with the FQDN provided in the article and create security policy for it  (FQDN initially resolves at commit time. Entries are subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the entries are picked up at the refresh cycle) so this might helpful in blocking the IP that resolves to specified shodan domain.

 

 

Kotresha
ACE
Highlighted
L6 Presenter

Re: Block scanning from shodan

+Bump

 

Does Palo have simlar IPS sigs as checkpoint?

 

  • Shodan.io Internet Of Things Portal
  • Shodan Scanner ISAKMP Request
  • Shodan Scanner SIP Request
    Shodan Scanner BACNET Request
  • Shodan Scanner GTP Request
  • Shodan Scanner ENIP Request

 

I tried looking through Threat Vault but couldn't find anyting.

Highlighted
L5 Sessionator

Re: Block scanning from shodan

I don't exactly see why would there be need for shodan specific signatures.

 

First of all make sure that all inbound traffic is blocked with firewall policy, except for servers snd services which need to be visible from all interenet (web servers, smtp, IPSEC...).

 

Services which need to be visible to internet need to be hardened and secured. For these services Shodan is the least of your worries. You want them secured from hackers and malware, not just Shodan. So why specific signature for Shodan traffic?  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!