In the last few days of writing this post there has also been a massive amount of mongoDB installs that have been hacked. For more info in preparing for data breaches see my previous post on 3-2-1-0day rule for backups. While shodan is not responsible for this generating a largest list via their service is trivial for whatever service you have a exploit for. So it may not be a bad idea to try and keep away from the all seeing eye Shodan is. While there are arguments on both sides that shodan helps identify issues as well as identify targets I think its best if we had the option to opt out. Thus,
The Definitive Guide to Blocking Shodan from scanning.
First we need to identify the list of IPs that Shodan sends scans from, this are commonly from their census servers but can come from other hosts they control as well. Below is a list of the domains and IP addresses I have collected online, and monitored scanning my equipment.
census1.shodan.io 126.96.36.199 - 188.8.131.52 US census2.shodan.io 184.108.40.206 - 220.127.116.11 US census3.shodan.io 18.104.22.168 - 22.214.171.124 US census4.shodan.io 126.96.36.199 - 188.8.131.52 NL census5.shodan.io 184.108.40.206 RO census6.shodan.io 220.127.116.11 US census7.shodan.io 18.104.22.168 US census8.shodan.io 22.214.171.124 US census9.shodan.io 126.96.36.199 US census10.shodan.io 188.8.131.52 IS census11.shodan.io 184.108.40.206 IS census12.shodan.io 220.127.116.11 US atlantic.census.shodan.io 18.104.22.168 DE pacific.census.shodan.io 22.214.171.124 DE rim.census.shodan.io 126.96.36.199 DE pirate.census.shodan.io 188.8.131.52 US inspire.census.shodan.io 184.108.40.206 US ninja.census.shodan.io 220.127.116.11 US border.census.shodan.io 18.104.22.168 - 22.214.171.124 US burger.census.shodan.io 126.96.36.199 US atlantic.dns.shodan.io 188.8.131.52 US blog.shodan.io 184.108.40.206 US * hello.data.shodan.io 220.127.116.11 US www.shodan.io 18.104.22.168 US ** host private.shodan.io , ny.private.shodan.io 22.214.171.124 atlantic249.serverprofi24.com 126.96.36.199 *** sky.census.shodan.io 188.8.131.52 dojo.census.shodan.io 184.108.40.206 ubtuntu16146130.aspadmin.com 220.127.116.11 shodan.io 18.104.22.168 malware-hunter.census.shodan.io 22.214.171.124 Community submitted IP addresses: battery.census.shodan.io 126.96.36.199 house.census.shodan.io 188.8.131.52 goldfish.census.shodan.io 184.108.40.206 battery.census.shodan.io 220.127.116.11 mason.census.shodan.io 18.104.22.168 flower.census.shodan.io 22.214.171.124 cloud.census.shodan.io 126.96.36.199 turtle.census.shodan.io 188.8.131.52 Last updated: 2017-12-07
*Probably not a scanner
**Their main website, don’t block prior to running tests below / at all if needed
***Consistently appeared when forcing a scan on my own host details below
Now how can you trust that these are the IP address owned by shodan.io and not randomly selected by just reversing DNS? Easy!
Shodan does not want you to know where its scanners are located on the internet, and this makes sense since their business model revolves around it. To help hide the servers IPs they scan from shodan automatically censors its own IP addresses in results. Here is a random example of what the returned data looks like:
They replace their own IPs with xxx.xxx.xxx.xxx this is done prior to us ever getting the data. Even if you get raw firehose access to the scan results it is still censored prior to being given to the customer.
Due to this we can simply search any IP or domain name we think it operated by a Shodan scanner in Shodan! They will appear as censusN.xxx.xxx.xxx.xxx see the below example.
That’s great, now how do I check and make sure that Shodan cannot reach my host.
First block the IPs listed, I would recommend you check them first to ensure they are up to date but as of 2017-01-12 this is the most complete and accurate list available comapred to older postings I have found.
Then you have two options, you can sign up for a paid shodan.io account and force a scan on your host, or you can simply wait and check your IP periodically from the web interface for free: https://www.shodan.io/host/ [ip here] under the last update field.
Since I already am a paid Shodan member I can test my block list right away. This is done by installing Shodan instruction can be found here.
Once installed you want to initiate an on demand scan of your IP. A working example can be found below:
But if you have successfully blocked Shodan you will see the following alert when attempting the scan, the left is my terminal the right is the firewall dropping the connection.
Testing over multiple days I always got the same result. To ensure it was not just that I had scanned to close together I had tested another one of my hosts that had not been blocked and the Last Update was close to real time. You can also check when your host was last scanned using the following command:
You can see that since putting my IP block in place I have not been manually scanned at any of the two previous attempts. The dates are also listed when you were last scanned with sucsess. You can also see when the first time Shodan picked up your MongoDB or whatever else you run on that IP.
Shodan is definitely a useful tool, and will help admins who dont realize what is exposed to the internet find out their weak points. It is also very useful for vulnerability assessments and getting metrics about services from the internet as whole. But it is also like all good things used by people who want to exploit the data within for personal gain or entertainment.
There are literally hudreds of thousands of interesting and exploitable items on shodan, just dont be one of them.