In the last few days of writing this post there has also been a massive amount of mongoDB installs that have been hacked. For more info in preparing for data breaches see my previous post on 3-2-1-0day rule for backups. While shodan is not responsible for this generating a largest list via their service is trivial for whatever service you have a exploit for. So it may not be a bad idea to try and keep away from the all seeing eye Shodan is. While there are arguments on both sides that shodan helps identify issues as well as identify targets I think its best if we had the option to opt out. Thus,
The Definitive Guide to Blocking Shodan from scanning.
First we need to identify the list of IPs that Shodan sends scans from, this are commonly from their census servers but can come from other hosts they control as well. Below is a list of the domains and IP addresses I have collected online, and monitored scanning my equipment.
census1.shodan.io 198.20.69.72 - 198.20.69.79 US census2.shodan.io 198.20.69.96 - 198.20.69.103 US census3.shodan.io 198.20.70.111 - 198.20.70.119 US census4.shodan.io 198.20.99.128 - 198.20.99.135 NL census5.shodan.io 93.120.27.62 RO census6.shodan.io 66.240.236.119 US census7.shodan.io 71.6.135.131 US census8.shodan.io 66.240.192.138 US census9.shodan.io 71.6.167.142 US census10.shodan.io 82.221.105.6 IS census11.shodan.io 82.221.105.7 IS census12.shodan.io 71.6.165.200 US atlantic.census.shodan.io 188.138.9.50 DE pacific.census.shodan.io 85.25.103.50 DE rim.census.shodan.io 85.25.43.94 DE pirate.census.shodan.io 71.6.146.185 US inspire.census.shodan.io 71.6.146.186 US ninja.census.shodan.io 71.6.158.166 US border.census.shodan.io 198.20.87.96 - 198.20.87.103 US burger.census.shodan.io 66.240.219.146 US atlantic.dns.shodan.io 209.126.110.38 US blog.shodan.io 104.236.198.48 US * hello.data.shodan.io 104.131.0.69 US www.shodan.io 162.159.244.38 US ** host private.shodan.io , ny.private.shodan.io 159.203.176.62 atlantic249.serverprofi24.com 188.138.1.119 *** sky.census.shodan.io 80.82.77.33 dojo.census.shodan.io 80.82.77.139 ubtuntu16146130.aspadmin.com 71.6.146.130 shodan.io 66.240.205.34 malware-hunter.census.shodan.io 216.117.2.180 Community submitted IP addresses: battery.census.shodan.io 93.174.95.106 house.census.shodan.io 89.248.172.16 goldfish.census.shodan.io 185.163.109.66 battery.census.shodan.io 93.174.95.106 mason.census.shodan.io 89.248.167.131 flower.census.shodan.io 94.102.49.190 cloud.census.shodan.io 94.102.49.193 turtle.census.shodan.io 185.181.102.18 Last updated: 2017-12-07
*Probably not a scanner
**Their main website, don’t block prior to running tests below / at all if needed
***Consistently appeared when forcing a scan on my own host details below
Now how can you trust that these are the IP address owned by shodan.io and not randomly selected by just reversing DNS? Easy!
Shodan does not want you to know where its scanners are located on the internet, and this makes sense since their business model revolves around it. To help hide the servers IPs they scan from shodan automatically censors its own IP addresses in results. Here is a random example of what the returned data looks like:
They replace their own IPs with xxx.xxx.xxx.xxx this is done prior to us ever getting the data. Even if you get raw firehose access to the scan results it is still censored prior to being given to the customer.
(example from firehose demo on their blog)
Due to this we can simply search any IP or domain name we think it operated by a Shodan scanner in Shodan! They will appear as censusN.xxx.xxx.xxx.xxx see the below example.
That’s great, now how do I check and make sure that Shodan cannot reach my host.
First block the IPs listed, I would recommend you check them first to ensure they are up to date but as of 2017-01-12 this is the most complete and accurate list available comapred to older postings I have found.
Then you have two options, you can sign up for a paid shodan.io account and force a scan on your host, or you can simply wait and check your IP periodically from the web interface for free: https://www.shodan.io/host/ [ip here] under the last update field.
Since I already am a paid Shodan member I can test my block list right away. This is done by installing Shodan instruction can be found here.
Once installed you want to initiate an on demand scan of your IP. A working example can be found below:
But if you have successfully blocked Shodan you will see the following alert when attempting the scan, the left is my terminal the right is the firewall dropping the connection.
Testing over multiple days I always got the same result. To ensure it was not just that I had scanned to close together I had tested another one of my hosts that had not been blocked and the Last Update was close to real time. You can also check when your host was last scanned using the following command:
You can see that since putting my IP block in place I have not been manually scanned at any of the two previous attempts. The dates are also listed when you were last scanned with sucsess. You can also see when the first time Shodan picked up your MongoDB or whatever else you run on that IP.
Shodan is definitely a useful tool, and will help admins who dont realize what is exposed to the internet find out their weak points. It is also very useful for vulnerability assessments and getting metrics about services from the internet as whole. But it is also like all good things used by people who want to exploit the data within for personal gain or entertainment.
There are literally hudreds of thousands of interesting and exploitable items on shodan, just dont be one of them.
I have some more Shodan addresses (from IPS logs)
battery.census.shodan.io (93.174.95.106)
house.census.shodan.io (89.248.172.16)
goldfish.census.shodan.io (185.163.109.66)
battery.census.shodan.io (93.174.95.106)
mason.census.shodan.io (89.248.167.131)
flower.census.shodan.io (94.102.49.190)
cloud.census.shodan.io (94.102.49.193)
Thanks, I will add these to the list.
71.6.146.130 now comes back to refrigerator.census.shodan.io
One more for ya
malware-hunter.census.shodan.io (66.240.205.34)
malware-hunter.census.shodan.io (66.240.205.34)
Name: malware-hunter.census.shodan.io
Address: 66.240.205.34
turtle.census.shodan.io = 185.181.102.18
Many thanks for this website!
No problem, thanks for the addition of the new IP.
Why don’t they just let people block their networks?
It would break the model they follow to conduct business. And the tool when used properly can assist in creating a safer web.
You can get an up to date list of the shodan IP addresses here:
https://isc.sans.edu/api/threatlist/shodan/
(add ?json for a JSON formated version).
There are a couple of other, similar systems. For a full list, see
https://isc.sans.edu/api/threatcategory/research/
(and isc.sans.edu/api for more instructions / details )
Thank you for this information, I will update the article to include a link to this document!
blog.shodan.io = 104.236.198.48
Hi,
I find this article very very helpful but I’ve a question. How many time is needed to get my IP address removed from Shodan website? After the next (failed) scan or after a specified period of time?
Thanks a lot for any reply!
Shodan keeps historics on all the IPs you scan. Any new detected ports will not be added provided your block list is up to date.
71.6.165.200 census12.shodan.io
198.20.69.98 census2.shodan.io
71.6.202.198 is a shodan Ip, all are associated with carinet in san diego
198.20.64.0/18 # range contains census[1-4].shodan.io
93.120.27.0/24 # range census5.shodan.io
66.240.192.0/18 # range contains census[6,8]
71.6.128.0/17 # range contains census[7,9,12]
82.221.105.0/24 # range contains census[10,11]
71.6.199.23 = einstein.census.shodan.io