Daily Shodan scan?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Daily Shodan scan?

L1 Bithead

Hello all,

 

We just recently made the Shodan wall of fame and I'm now getting their scan showing up every day in my Threat log. Our action is set to reset. What do you typically do in this case? Should I ignore this and accept I will be seeing this scan every day from now on?

 

Threat Name
Gh0st.Gen Command and Control Traffic
Attacker
66.240.205.34

 

ShodanScan.PNG

1 accepted solution

Accepted Solutions

L5 Sessionator

One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

 

Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-...

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

View solution in original post

5 REPLIES 5

L5 Sessionator

One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

 

Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-...

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

Thank you! The Zone Protection was what I was looking for.

 

Question on EDL: I have it setup to block Outgoing IP's, but this Shodan scan is Incoming. I'm assuming I can set an EDL to also block Incoming connections by setting the EDL in the Source Address as opposed to Destination?

 

External Dynamic Lists can be used in security policies regardless of directionality.  Behavior will vary depending on the type of list.  In your case you can specify and IP-based EDLs within the source column of a security policy rule.

Thank you again!

You are very welcome.  It was my pleasure.

  • 1 accepted solution
  • 14511 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!