QuoVadis Posted May 18, 2016 Report Posted May 18, 2016 Shodan.io is a search engine with the job of crawing the internet for publically acessible servers, software, and equipment. Intended as a site for cyber security experts and researchers, Shodan is a popular destination for those with other intentions as well. While not an inherently bad site, a hacker might want to cause some trouble by remotely accessing a web server with default credentials found on Shodan. News stories over the last few years talk about how Shodan has been used to log into traffic light controls, web cameras, and find databases to exploit. How do you prevent your network from being scanned and added to Shodan? First you’ll need a router or firewall with more than basic functions. Your device should accept custom firewall rules where you can block by remote IP address. Second you’ll need a list of the servers that Shodan uses to crawl the internet. Below is a list of known Shodan IP addresses and host names. A firewall rule should be created to block each entry. 93.120.27.62 - m247.ro.shodan.io 85.25.43.94 - rim.census.shodan.io 85.25.103.50 - pacific.census.shodan.io 82.221.105.7 - census11.shodan.io 82.221.105.6 - census10.shodan.io 71.6.167.142 - census9.shodan.io 71.6.165.200 - census12.shodan.io 71.6.135.131 - census7.shodan.io 66.240.236.119 - census6.shodan.io 66.240.192.138 - census8.shodan.io 198.20.99.130 - census4.shodan.io 198.20.70.114 - census3.shodan.io 198.20.69.98 - census2.shodan.io 198.20.69.74 - census1.shodan.io 188.138.9.50 - atlantic.census.shodan.io If you have a router capable of displaying active sessions or reporting blocked firewall events, you’ll see something like this. There are of course a number of things you can do to protect yourself from uninvited internet guests. First and foremost, don’t use default credentials for your router, server, database, IP camera, etc. These devices are incredibly easy to find through Shodan and there is never an excuse for defaults! You can also set your router to only allow inbound traffic from known IP addresses. Disabling WAN pings is another way you can try and prevent inbound traffic to your network. The easiest test is to run a Shodan search against yourself. If you know your external IP address, plug it into Shodan and look at the results. Do you see open ports? Do you have devices that are unsecured or running default credentials? The best solution is not to have public facing devices at all and instead to use a VPN to remotely access equipment, but in some situations that just isn't an option and the firewall rules are a fix. There are a number of routers that can provide the necessary firewall capabilities to block sites like Shodan from scanning your network. (Blocking a Shodan IP on a Peplink) The Pepwave Surf SOHO or Cradlepoint MBR1200B will provide adequate blocking for most homeowners or small businesses. Medium to enterprise size companies will want to look at more capable options like the Peplink Balance 380 or the AER3100. SOURCE 1 2 Quote
rivadarlin Posted April 25, 2022 Report Posted April 25, 2022 I blocked it with iptables but still scanning in shodan.io Quote
aelius Posted April 25, 2022 Report Posted April 25, 2022 1 hour ago, rivadarlin said: I blocked it with iptables but still scanning in shodan.io This topic was created five years ago Look here: - https://wiki.ipfire.org/configuration/firewall/blockshodan Also, you can read here something: https://www.csoonline.com/article/3020108/blocking-shodan-isnt-some-sort-of-magical-fix-that-will-protect-your-data.html Quote Shodan isn't the enemy. In fact, Shodan is a seriously useful tool. Instead of blocking it, integrate it within your security process and use it to discover things you might not know about. 1 Quote