Anyone have successfully block scanning from shodan.io? www.shodan.io ?
It looks like Checkpoint has written specific signature to block shodan scanning, http://blog.checkpoint.com/2016/01/04/check-point-threat-alert-shodan/
We are aslo observing the simmilar kind of traffic triggering from the IP's listed in that article.
blocking individual IP is not good idea but if there is any way that we can block IP's thase resolves to *shodan.io will be best approach.
Im not sure how we can do this :(
Why would you block scanning from Shodan only?
Set up a zone protection profile which will protect you from all scans. Furthermore make sure that your firewall policy only allows traffic to services which need to be visible from whole internet (web servers, mail server..). And those servers must be hardened in any case so nothing to fear there.
Blocking ip may help initally, but I am not going to make it my day job to keep on monitoring if they decided to change ip or add another new scanner. I submit an app-id request to PAN for shodan.io scan.
Why not block these scanners? I already have zone protection profile configured, shodan is a very slow scanner, it will not get flag by ZP. Sometime you may have some servers that you are just need to open to anyone (with some exceptions).
There is one another way i found,
we can create the objets with the FQDN provided in the article and create security policy for it (FQDN initially resolves at commit time. Entries are subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the entries are picked up at the refresh cycle) so this might helpful in blocking the IP that resolves to specified shodan domain.
Does Palo have simlar IPS sigs as checkpoint?
I tried looking through Threat Vault but couldn't find anyting.
I don't exactly see why would there be need for shodan specific signatures.
First of all make sure that all inbound traffic is blocked with firewall policy, except for servers snd services which need to be visible from all interenet (web servers, smtp, IPSEC...).
Services which need to be visible to internet need to be hardened and secured. For these services Shodan is the least of your worries. You want them secured from hackers and malware, not just Shodan. So why specific signature for Shodan traffic?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!