Differences in Revisions: How to block Shodan scanners

Older Revision
August 22 at 3:04 am
»
Shodan IPs added
# How to block Shodan scanners
[Shodan](https://www.shodan.io/) is a search engine which does not index web sites or web contents, but vulnerable devices on the internet. To set up this index an to keep it up to date, Shodan uses at least 16 scanners with different AS numbers and different physical locations.
 
In case you want to block those scanners, this guide might help.
 
## Set up host definitions
First, set up [host definitions](/configuration/firewall/fwgroups/hosts) in the firewall menue and put in the following hosts (it might be useful to put in the rDNS name as a hostname):
 
**Known Shodan scanners (last updated 2016-08-31)**
**Known Shodan scanners (last updated 2019-09-08)**
 
| rDNS name | IP address | Location |
| --- | --- | --- |
| shodan.io ((it is unclear if this is a scanner IP)) | 208.180.20.97 | US |
| census1.shodan.io | 198.20.69.74 | US |
| census2.shodan.io | 198.20.69.98 | US |
| census3.shodan.io | 198.20.70.114 | US |
| census4.shodan.io | 198.20.99.130 | NL |
| census5.shodan.io | 93.120.27.62 | RO |
| census6.shodan.io | 66.240.236.119 | US |
| census7.shodan.io | 71.6.135.131 | US |
| census8.shodan.io | 66.240.192.138 | US |
| census9.shodan.io | 71.6.167.142 | US |
| census10.shodan.io | 82.221.105.6 | IS |
| census11.shodan.io | 82.221.105.7 | IS |
| census12.shodan.io | 71.6.165.200 | US |
| atlantic.census.shodan.io | 188.138.9.50 | DE |
| pacific.census.shodan.io | 85.25.103.50 | DE |
| rim.census.shodan.io | 85.25.43.94 | DE |
| pirate.census.shodan.io | 71.6.146.185 | US |
| ninja.census.shodan.io | 71.6.158.166 | US |
| border.census.shodan.io | 198.20.87.98 | US |
| burger.census.shodan.io | 66.240.219.146 | US |
| atlantic.dns.shodan.io | 209.126.110.38 | US |
| blog.shodan.io ((it is unclear if this is a scanner IP)) | 104.236.198.48 | US |
| hello.data.shodan.io | 104.131.0.69 | US |
| <nowiki>www.shodan.io</nowiki> ((it is unclear if this is a scanner IP)) | 162.159.244.38 | US |
 
The additional following entries have been added on September, 2019:
 
| rDNS name | IP address | Location |
| --- | --- | --- |
| battery.census.shodan.io | `93.174.95.106` | SC |
| cloud.census.shodan.io | `94.102.49.193` | SC |
| dojo.census.shodan.io | `80.82.77.139` | SC |
| flower.census.shodan.io (PTR only) | `94.102.49.190` | SC |
| goldfish.census.shodan.io | `185.163.109.66` | RO |
| house.census.shodan.io | `89.248.172.16` | SC |
| inspire.census.shodan.io (PTR only) | `71.6.146.186` | US |
| mason.census.shodan.io | `89.248.167.131` | SC |
| ny.private.shodan.io | `159.203.176.62` | US |
| turtle.census.shodan.io (PTR only) | `185.181.102.18` | RO |
| sky.census.shodan.io | `80.82.77.33` | SC |
| shodan.io (PTR only) | `216.117.2.180` | US |
 
Sources: [](http://pastebin.ca/2948794) and own research
Sources: [](http://pastebin.ca/2948794), own research, log reviews.
*Contributor's note*: if you DROP the notorious "AS29073 Quasi Networks LTD" already, you're already banning the "SC" (Seychelles) sources detailed above. "AS9009 M247 Ltd" contributes to most of the "RO" (Romania) sources.
 
You might add a comment to each host, such as "scanner" or "shodan" to make clear why you added those.
 
It is possible to block other common scanners here, too. However, please keep in mind that this isn't a technique which is very scalable. Please consider [running an IDS](/configuration/services/ids), if possible.
 
**Project 25499 scanners (last updated 2016-02-28)**
 
| rDNS name | IP address | Location |
| --- | --- | --- |
| scanner01.project25499.com | 98.143.148.107 | US |
| scanner02.project25499.com | 155.94.254.133 | US |
| scanner03.project25499.com | 155.94.254.143 | US |
| scanner04.project25499.com | 155.94.222.12 | US |
| scanner05.project25499.com | 98.143.148.135 | US |
 
Source: [](http://project25499.com/)
 
 
## Set up firewall group
Second, set up a [firewall group](/configuration/firewall/fwgroups/groups) and add all those host entries to it. Add a title and a comment to this firewall group. In this guide, we assume you have named the group "shodanscanners".
 
 
## Set up firewall rule
Third, [create a new firewall rule](/configuration/firewall/rules). Set the "shodanscanners" group as source. For destination, use "standard networks" and set this to "any". Set "rule action" to "drop".
 
The setting "reject" is not recommended here, since the firewall will send an ICMP status message to the host(s) which triggered the firewall rule. By this, however, the host knows that there is *something* which at least sends ICMP errors back. To avoid this, "drop" is suitable because the network packets will be dropped silently and there is no way of telling (without additional scans) wether the target IP address is just down or drops network packages.
 
Enter a comment, if you want to and hit "add" to set the new firewall rule.
 
Please make sure that this rule is placed*before* rules which accept something (i.e. port forwarding rules) so that shodan scan traffic will be blocked instantly.
 
Reload the firewall engine to apply the new rule.
 
 
## Limitations of this guide
Nobody (and nothing) is perfect. This guide isn't either. ;-)
 
For example, if the IP addresses of the Shodan scanners change, your firewall rule will be probably useless and does not provide any protection against the scanners any more. Consider setting up an [IDS](/configuration/services/ids) for additional protection since some rules there will also block other scanners which are not mentioned here.
 
"Blocking Shodan scanner is fine, but I want to block all scanners" -- This is basically possible. However, it is a nightmare to set up a firewall host group which covers all IPs which belong to scanners. (And it is also a nightmare to find out those IP addresses since most scanners do not just put them on their web sites...) In case you are thinking similar, setting up an [IDS](/configuration/services/ids) in combination with [suitable rules](http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#DShield_Rules) (this is just one example, there are many out there) might be a solution for you.