Daily Shodan scan?

Reply
Highlighted
L1 Bithead

Daily Shodan scan?

Hello all,

 

We just recently made the Shodan wall of fame and I'm now getting their scan showing up every day in my Threat log. Our action is set to reset. What do you typically do in this case? Should I ignore this and accept I will be seeing this scan every day from now on?

 

Threat Name
Gh0st.Gen Command and Control Traffic
Attacker
66.240.205.34

 

ShodanScan.PNG


Accepted Solutions
Highlighted
L5 Sessionator

Re: Daily Shodan scan?

One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

 

Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-...

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: Daily Shodan scan?

One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

 

Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-...

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

View solution in original post

Highlighted
L1 Bithead

Re: Daily Shodan scan?

Thank you! The Zone Protection was what I was looking for.

 

Question on EDL: I have it setup to block Outgoing IP's, but this Shodan scan is Incoming. I'm assuming I can set an EDL to also block Incoming connections by setting the EDL in the Source Address as opposed to Destination?

 

Highlighted
L5 Sessionator

Re: Daily Shodan scan?

External Dynamic Lists can be used in security policies regardless of directionality.  Behavior will vary depending on the type of list.  In your case you can specify and IP-based EDLs within the source column of a security policy rule.

Highlighted
L1 Bithead

Re: Daily Shodan scan?

Thank you again!

Highlighted
L5 Sessionator

Re: Daily Shodan scan?

You are very welcome.  It was my pleasure.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!