Re: HowTo: Block IoT scanners like Shodan, Censys,...

Danny · ‎2021-07-21

Protect your environment against all those internet IoT port scanners / web crawlers that scan your network devices to collect all kind of data. Simply create a drop rule and put it on the beginning of your security policy. Create a network group for each of these scanners and fill it with the data listed below.

Supported scanners:

Shodan --> see Check Point Threat Alert
Censys --> see their FAQ
Shadowserver --> see their FAQ
PAN Expanse --> feeds their Expander

Sample rule:

Group contents:

Shodan --> create domain objects with FQDN enabled!
- .census1.shodan.io
- .census2.shodan.io
- .census3.shodan.io
- .census4.shodan.io
- .census5.shodan.io
- .census6.shodan.io
- .census7.shodan.io
- .census8.shodan.io
- .census9.shodan.io
- .census10.shodan.io
- .census11.shodan.io
- .census12.shodan.io
- .atlantic.census.shodan.io
- .pacific.census.shodan.io
- .rim.census.shodan.io
- .m247.ro.shodan.io
- .pirate.census.shodan.io
- .ninja.census.shodan.io
- .border.census.shodan.io
- .burger.census.shodan.io
- .house.census.shodan.io
- .mason.census.shodan.io
- .turtle.census.shodan.io
- .goldfish.census.shodan.io
- .flower.census.shodan.io
- .dojo.census.shodan.io
- .cloud.census.shodan.io
- .sky.census.shodan.io
- .inspire.census.shodan.io
- .battery.census.shodan.io
Censys
- 74.120.14.0/24
- 162.142.125.0/24
- 167.248.133.0/24
- 192.35.168.0/23
Shadowserver
- 64.62.202.96/27
- 66.220.23.112/29
- 74.82.47.0/26
- 184.105.139.64/26
- 184.105.143.128/26
- 184.105.247.192/26
- 216.218.206.64/26
- 141.212.0.0/16
PAN Expanse
- 144.86.173.0/24
Others
- see listing

Additional info:

Adding such a drop rule on top of your access control rulebase helps raising the baseline security level of your overall firewall security policy. Other free methods to raise it even more are:

dynamically block blacklisted IPs early - even before your access control rulebase
- or via Custom Intelligence Feeds (IoC Management) if you have AV/ABOT licensed
- or via Generic DataCenter objects starting from R81+
create a leading ordered layer to drop unwanted incoming traffic based on Geo Location
use SNORT rules to advance your IPS protection profile
- if you don't have IPS licensed, use at least IPS Core Protections and Inspection Settings that are both installed with your access control policy
activate HTTPS inspection
enable and use Content Awareness
enable and use Identity Awareness

_Val_ · ‎2021-07-22

Nice one Danny!

Kim_Moberg · ‎2021-07-22

Great work Danny.

Would have been nice if Check Point could add those hosts as dynamic objects so it would be automatically updated when any of the scanners changes ip subnets

Best Regards
Kim

_Val_ · ‎2021-07-22

@Kim_Moberg the best way to request this is to add a feedback note to sk173416.

Citing from the SK:

Can I suggest to support a specific service as an Updatable object?

Suggestions for additional Updatable objects can be submitted in the "Give us Feedback" section of the SecureKnowledge article, with the relevant information that will be rendered by R&D (who is responsible for adding new updatable objects). The most common suggestions will get highest priority:

Service name

Link to public content maintained by the vendor

Is it currently used in my policy?

kevinds · ‎2022-04-25

Censys has different and more IPs listed to Opt-Out as per,

https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning

Terri_Hawkins · ‎2023-02-03

Thank you for this post, and I used it to create a rule on my firewall to block the traffic, but can I ask why the individual urls for shodan? Could we just block .shodan.io and get all of them?

PhoneBoy · ‎2023-02-03

Because FQDN Domain Objects cannot be used with wildcards.
You could put shodan.io into a Custom Threat Intel feed (ioc_feeds command) or in a Network Feed object (R81.20 and above).

Wolfgang · ‎2023-02-04

@Terri_Hawkins use of wildcard-FQDN objects as source or destination will result in massive performance degrading, because of the needed DNS reverse lookups. See Traffic latency through Security Gateway when Access Control Policy contains non-FQDN Domain objects

Terri_Hawkins · ‎2023-02-06

Thank you both very much. I believe I have some work to do on some of my rules now. 🙂

Oliver_222 · ‎2024-04-23

Good afternoon

Will these rules work if we have implied rules where ports 80,443,264,18264 are allowed?
As far as I know implied rules come before firewall rules.
Thanks

Danny · ‎2024-04-23

How are these implied rules defined?

Are you a member of CheckMates?

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.