Hello Nino,
well, there is a list of known Shodan scanners available:
https://wiki.ipfire.org/configuration/firewall/blockshodan
However, it seems to be outdated - I observed "dojo.census.shodan.io"
(IPv4: 80.82.77.139), too.
Since scanners usually try to bypass blocking attempts or
rate limits, I doubt maintaining an IP list makes sense.
Querying RBLs or lists of known networks hosting malware
(i.e. Spamhaus DROP) probably requires less manual effort.
Thanks, and best regards,
Peter Müller
> Hi,
>
> I wish to block all attempts by "shodan.io". Basically I run an OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of traffic all stemming from "shodan.io". I have PF configured so I was wondering how to block such a domain from making any attempts to connect to my server. There is little information about Public IP addresses being used by "shodan.io" scanner, so making an IP list for PF may be futile.
>
> Could someone suggest a possible option? I was thinking along the lines of "relayd" or "squid proxy". My server is hosted at Vultr and has a single WAN interface with Public IP. There is no internal LAN interface.
>
> For those who do not know about "shodan.io", please do a search and you will discover what it does.
>
> Regards
>
> Nino
>
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
No comments:
Post a Comment