Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion
Champion

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

Protect your environment against all those internet IoT port scanners / web crawlers that scan your network devices to collect all kind of data. Simply create a drop rule and put it on the beginning of your security policy. Create a network group for each of these scanners and fill it with the data listed below.

Supported scanners:

Sample rule:

image.png

Group contents:

  • Shodan --> create domain objects with FQDN enabled!
    • .census1.shodan.io
    • .census2.shodan.io
    • .census3.shodan.io
    • .census4.shodan.io
    • .census5.shodan.io
    • .census6.shodan.io
    • .census7.shodan.io
    • .census8.shodan.io
    • .census9.shodan.io
    • .census10.shodan.io
    • .census11.shodan.io
    • .census12.shodan.io
    • .atlantic.census.shodan.io
    • .pacific.census.shodan.io
    • .rim.census.shodan.io
    • .m247.ro.shodan.io
    • .pirate.census.shodan.io
    • .ninja.census.shodan.io
    • .border.census.shodan.io
    • .burger.census.shodan.io
    • .house.census.shodan.io
    • .mason.census.shodan.io
    • .turtle.census.shodan.io
    • .goldfish.census.shodan.io
    • .flower.census.shodan.io
    • .dojo.census.shodan.io
    • .cloud.census.shodan.io
    • .sky.census.shodan.io
    • .inspire.census.shodan.io
    • .battery.census.shodan.io
  • Censys
    • 74.120.14.0/24
    • 162.142.125.0/24
    • 167.248.133.0/24
    • 192.35.168.0/23
  • Shadowserver
    • 64.62.202.96/27
    • 66.220.23.112/29
    • 74.82.47.0/26
    • 184.105.139.64/26
    • 184.105.143.128/26
    • 184.105.247.192/26
    • 216.218.206.64/26
    • 141.212.0.0/16
  • PAN Expanse
    • 144.86.173.0/24
  • Others

Additional info:

Adding such a drop rule on top of your access control rulebase helps raising the baseline security level of your overall firewall security policy. Other free methods to raise it even more are:

3 Replies
_Val_
Admin
Admin

Nice one Danny!

0 Kudos
Kim_Moberg
Advisor

Great work Danny.

Would have been nice if Check Point could add those hosts as dynamic objects so it would be automatically updated when any of the scanners changes ip subnets

Best Regards
Kim
0 Kudos
_Val_
Admin
Admin

@Kim_Moberg the best way to request this is to add a feedback note to sk173416

Citing from the SK:

Can I suggest to support a specific service as an Updatable object?

Suggestions for additional Updatable objects can be submitted in the "Give us Feedback" section of the SecureKnowledge article, with the relevant information that will be rendered by R&D (who is responsible for adding new updatable objects). The most common suggestions will get highest priority:
  • Service name
  • Link to public content maintained by the vendor
  • Is it currently used in my policy?
0 Kudos