In the last few days of writing this post there has also been a massive amount of mongoDB installs that have been hacked. For more info in preparing for data breaches see my previous post on 3-2-1-0day rule for backups. While shodan is not responsible for this generating a largest list via their service is trivial for whatever service you have a exploit for. So it may not be a bad idea to try and keep away from the all seeing eye Shodan is. While there are arguments on both sides that shodan helps identify issues as well as identify targets I think its best if we had the option to opt out. Thus,
The Definitive Guide to Blocking Shodan from scanning.
First we need to identify the list of IPs that Shodan sends scans from, this are commonly from their census servers but can come from other hosts they control as well. Below is a list of the domains and IP addresses I have collected online, and monitored scanning my equipment.
census1.shodan.io 22.214.171.124 - 126.96.36.199 US census2.shodan.io 188.8.131.52 - 184.108.40.206 US census3.shodan.io 220.127.116.11 - 18.104.22.168 US census4.shodan.io 22.214.171.124 - 126.96.36.199 NL census5.shodan.io 188.8.131.52 RO census6.shodan.io 184.108.40.206 US census7.shodan.io 220.127.116.11 US census8.shodan.io 18.104.22.168 US census9.shodan.io 22.214.171.124 US census10.shodan.io 126.96.36.199 IS census11.shodan.io 188.8.131.52 IS census12.shodan.io 184.108.40.206 US atlantic.census.shodan.io 220.127.116.11 DE pacific.census.shodan.io 18.104.22.168 DE rim.census.shodan.io 22.214.171.124 DE pirate.census.shodan.io 126.96.36.199 US inspire.census.shodan.io 188.8.131.52 US ninja.census.shodan.io 184.108.40.206 US border.census.shodan.io 220.127.116.11 - 18.104.22.168 US burger.census.shodan.io 22.214.171.124 US atlantic.dns.shodan.io 126.96.36.199 US blog.shodan.io 188.8.131.52 US * hello.data.shodan.io 184.108.40.206 US www.shodan.io 220.127.116.11 US ** host private.shodan.io , ny.private.shodan.io 18.104.22.168 atlantic249.serverprofi24.com 22.214.171.124 *** sky.census.shodan.io 126.96.36.199 dojo.census.shodan.io 188.8.131.52 ubtuntu16146130.aspadmin.com 184.108.40.206 shodan.io 220.127.116.11 malware-hunter.census.shodan.io 18.104.22.168 Community submitted IP addresses: battery.census.shodan.io 22.214.171.124 house.census.shodan.io 126.96.36.199 goldfish.census.shodan.io 188.8.131.52 battery.census.shodan.io 184.108.40.206 mason.census.shodan.io 220.127.116.11 flower.census.shodan.io 18.104.22.168 cloud.census.shodan.io 22.214.171.124 turtle.census.shodan.io 126.96.36.199 Last updated: 2017-12-07
*Probably not a scanner
**Their main website, don’t block prior to running tests below / at all if needed
***Consistently appeared when forcing a scan on my own host details below
Now how can you trust that these are the IP address owned by shodan.io and not randomly selected by just reversing DNS? Easy!
Shodan does not want you to know where its scanners are located on the internet, and this makes sense since their business model revolves around it. To help hide the servers IPs they scan from shodan automatically censors its own IP addresses in results. Here is a random example of what the returned data looks like:
They replace their own IPs with xxx.xxx.xxx.xxx this is done prior to us ever getting the data. Even if you get raw firehose access to the scan results it is still censored prior to being given to the customer.
Due to this we can simply search any IP or domain name we think it operated by a Shodan scanner in Shodan! They will appear as censusN.xxx.xxx.xxx.xxx see the below example.
That’s great, now how do I check and make sure that Shodan cannot reach my host.
First block the IPs listed, I would recommend you check them first to ensure they are up to date but as of 2017-01-12 this is the most complete and accurate list available comapred to older postings I have found.
Then you have two options, you can sign up for a paid shodan.io account and force a scan on your host, or you can simply wait and check your IP periodically from the web interface for free: https://www.shodan.io/host/ [ip here] under the last update field.
Since I already am a paid Shodan member I can test my block list right away. This is done by installing Shodan instruction can be found here.
Once installed you want to initiate an on demand scan of your IP. A working example can be found below:
But if you have successfully blocked Shodan you will see the following alert when attempting the scan, the left is my terminal the right is the firewall dropping the connection.
Testing over multiple days I always got the same result. To ensure it was not just that I had scanned to close together I had tested another one of my hosts that had not been blocked and the Last Update was close to real time. You can also check when your host was last scanned using the following command:
You can see that since putting my IP block in place I have not been manually scanned at any of the two previous attempts. The dates are also listed when you were last scanned with sucsess. You can also see when the first time Shodan picked up your MongoDB or whatever else you run on that IP.
Shodan is definitely a useful tool, and will help admins who dont realize what is exposed to the internet find out their weak points. It is also very useful for vulnerability assessments and getting metrics about services from the internet as whole. But it is also like all good things used by people who want to exploit the data within for personal gain or entertainment.
There are literally hudreds of thousands of interesting and exploitable items on shodan, just dont be one of them.