This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Daily Shodan scan?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Daily Shodan scan?

Go to solution
SethArnoff
L1 Bithead

‎02-01-2018 06:55 AM

Hello all,

 

We just recently made the Shodan wall of fame and I'm now getting their scan showing up every day in my Threat log. Our action is set to reset. What do you typically do in this case? Should I ignore this and accept I will be seeing this scan every day from now on?

 

Threat Name
Gh0st.Gen Command and Control Traffic
Attacker
66.240.205.34

 

ShodanScan.PNG

1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
bvandivier
L5 Sessionator

‎02-01-2018 08:30 AM

One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

 

Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-...

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

View solution in original post

(1)
5 REPLIES 5

Go to solution
bvandivier
L5 Sessionator

‎02-01-2018 08:30 AM

One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

 

Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-...

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

(1)

Go to solution
SethArnoff
L1 Bithead
In response to bvandivier

‎02-01-2018 08:46 AM

Thank you! The Zone Protection was what I was looking for.

 

Question on EDL: I have it setup to block Outgoing IP's, but this Shodan scan is Incoming. I'm assuming I can set an EDL to also block Incoming connections by setting the EDL in the Source Address as opposed to Destination?

 

0 Likes Likes

Go to solution
bvandivier
L5 Sessionator
In response to SethArnoff

‎02-01-2018 08:57 AM

External Dynamic Lists can be used in security policies regardless of directionality.  Behavior will vary depending on the type of list.  In your case you can specify and IP-based EDLs within the source column of a security policy rule.

0 Likes Likes

Go to solution
SethArnoff
L1 Bithead
In response to bvandivier

‎02-01-2018 09:25 AM

Thank you again!

0 Likes Likes

Go to solution
bvandivier
L5 Sessionator
In response to SethArnoff

‎02-01-2018 09:26 AM

You are very welcome.  It was my pleasure.

0 Likes Likes
  • 1 accepted solution
  • 14415 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks