- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-29-2016 06:21 PM
Hello,
Anyone have successfully block scanning from shodan.io? www.shodan.io ?
It looks like Checkpoint has written specific signature to block shodan scanning, http://blog.checkpoint.com/2016/01/04/check-point-threat-alert-shodan/
-E
06-30-2016 03:50 AM
We are aslo observing the simmilar kind of traffic triggering from the IP's listed in that article.
blocking individual IP is not good idea but if there is any way that we can block IP's thase resolves to *shodan.io will be best approach.
Im not sure how we can do this 😞
06-30-2016 04:07 AM
Why would you block scanning from Shodan only?
Set up a zone protection profile which will protect you from all scans. Furthermore make sure that your firewall policy only allows traffic to services which need to be visible from whole internet (web servers, mail server..). And those servers must be hardened in any case so nothing to fear there.
06-30-2016 07:29 AM
Blocking ip may help initally, but I am not going to make it my day job to keep on monitoring if they decided to change ip or add another new scanner. I submit an app-id request to PAN for shodan.io scan.
-E
06-30-2016 07:32 AM
Hi Santonic,
Why not block these scanners? I already have zone protection profile configured, shodan is a very slow scanner, it will not get flag by ZP. Sometime you may have some servers that you are just need to open to anyone (with some exceptions).
-E
06-30-2016 10:42 AM
Couldn't you just use URL Filtering to disable access to that domain? Wouldn't that be easier then worrying about what IP is accessing that traffic.
06-30-2016 11:03 PM
07-01-2016 12:54 AM
There is one another way i found,
we can create the objets with the FQDN provided in the article and create security policy for it (FQDN initially resolves at commit time. Entries are subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the entries are picked up at the refresh cycle) so this might helpful in blocking the IP that resolves to specified shodan domain.
03-23-2017 08:09 PM
+Bump
Does Palo have simlar IPS sigs as checkpoint?
I tried looking through Threat Vault but couldn't find anyting.
03-23-2017 11:56 PM
I don't exactly see why would there be need for shodan specific signatures.
First of all make sure that all inbound traffic is blocked with firewall policy, except for servers snd services which need to be visible from all interenet (web servers, smtp, IPSEC...).
Services which need to be visible to internet need to be hardened and secured. For these services Shodan is the least of your worries. You want them secured from hackers and malware, not just Shodan. So why specific signature for Shodan traffic?
01-28-2020 01:42 PM
Maybe because the customer asked for it?
09-05-2023 10:07 PM
correction there: FQDN will refresh in 30 seconds.
I was hoping if we could use domain based EDL in source but that isn't working.
Is there any way to get the most latest list of shodan.io subdomains/IP addresses
09-05-2023 10:13 PM
Did that work out!
Is there any app-ID yet for shodan.io
I don't see
05-31-2024 05:32 AM
If you block the known bad actors list, shodan is on that list.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!