Block scanning from shodan

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block scanning from shodan

L4 Transporter



Anyone have successfully block scanning from  ?


It looks like Checkpoint has written specific signature to block shodan scanning,




L3 Networker

We are aslo observing the simmilar kind of traffic triggering from the IP's listed in that article.


blocking individual IP is not good idea but if there is any way that we can block IP's thase resolves to * will be best approach.


Im not sure how we can do this 😞 


Why would you block scanning from Shodan only?

Set up a zone protection profile which will protect you from all scans. Furthermore make sure that your firewall policy only allows traffic to services which need to be visible from whole internet (web servers, mail server..). And those servers must be hardened in any case so nothing to fear there.


Blocking ip may help initally, but I am not going to make it my day job to keep on monitoring if they decided to change ip or add another new scanner.    I submit an app-id request to PAN for scan.



Hi Santonic,


Why not block these scanners?  I already have zone protection profile configured, shodan is a very slow scanner, it will not get flag by ZP.    Sometime you may have some servers that you are just need to open to anyone (with some exceptions).  



Couldn't you just use URL Filtering to disable access to that domain? Wouldn't that be easier then worrying about what IP is accessing that traffic.

It's inbound not outbound traffic.

There is one another way i found,

we can create the objets with the FQDN provided in the article and create security policy for it  (FQDN initially resolves at commit time. Entries are subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the entries are picked up at the refresh cycle) so this might helpful in blocking the IP that resolves to specified shodan domain.






Does Palo have simlar IPS sigs as checkpoint?


  • Internet Of Things Portal
  • Shodan Scanner ISAKMP Request
  • Shodan Scanner SIP Request
    Shodan Scanner BACNET Request
  • Shodan Scanner GTP Request
  • Shodan Scanner ENIP Request


I tried looking through Threat Vault but couldn't find anyting.

I don't exactly see why would there be need for shodan specific signatures.


First of all make sure that all inbound traffic is blocked with firewall policy, except for servers snd services which need to be visible from all interenet (web servers, smtp, IPSEC...).


Services which need to be visible to internet need to be hardened and secured. For these services Shodan is the least of your worries. You want them secured from hackers and malware, not just Shodan. So why specific signature for Shodan traffic?  

Maybe because the customer asked for it? 

correction there: FQDN will refresh in 30 seconds.

I was hoping if we could use domain based EDL in source but that isn't working.
Is there any way to get the most latest list of subdomains/IP addresses

Did that work out!

Is there any app-ID yet for
I don't see

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!