This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion Champion
Champion
‎2021-07-21 03:03 PM

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

Protect your environment against all those internet IoT port scanners / web crawlers that scan your network devices to collect all kind of data. Simply create a drop rule and put it on the beginning of your security policy. Create a network group for each of these scanners and fill it with the data listed below.

Supported scanners:

Sample rule:

image.png

Group contents:

  • Shodan --> create domain objects with FQDN enabled!
    • .census1.shodan.io
    • .census2.shodan.io
    • .census3.shodan.io
    • .census4.shodan.io
    • .census5.shodan.io
    • .census6.shodan.io
    • .census7.shodan.io
    • .census8.shodan.io
    • .census9.shodan.io
    • .census10.shodan.io
    • .census11.shodan.io
    • .census12.shodan.io
    • .atlantic.census.shodan.io
    • .pacific.census.shodan.io
    • .rim.census.shodan.io
    • .m247.ro.shodan.io
    • .pirate.census.shodan.io
    • .ninja.census.shodan.io
    • .border.census.shodan.io
    • .burger.census.shodan.io
    • .house.census.shodan.io
    • .mason.census.shodan.io
    • .turtle.census.shodan.io
    • .goldfish.census.shodan.io
    • .flower.census.shodan.io
    • .dojo.census.shodan.io
    • .cloud.census.shodan.io
    • .sky.census.shodan.io
    • .inspire.census.shodan.io
    • .battery.census.shodan.io
  • Censys
    • 74.120.14.0/24
    • 162.142.125.0/24
    • 167.248.133.0/24
    • 192.35.168.0/23
  • Shadowserver
    • 64.62.202.96/27
    • 66.220.23.112/29
    • 74.82.47.0/26
    • 184.105.139.64/26
    • 184.105.143.128/26
    • 184.105.247.192/26
    • 216.218.206.64/26
    • 141.212.0.0/16
  • PAN Expanse
    • 144.86.173.0/24
  • Others

Additional info:

Adding such a drop rule on top of your access control rulebase helps raising the baseline security level of your overall firewall security policy. Other free methods to raise it even more are:

8 Replies
_Val_
Admin
Admin
‎2021-07-22 12:39 AM

Nice one Danny!

0 Kudos
Kim_Moberg
Advisor
‎2021-07-22 01:06 AM

Great work Danny.

Would have been nice if Check Point could add those hosts as dynamic objects so it would be automatically updated when any of the scanners changes ip subnets

Best Regards
Kim
_Val_
Admin
Admin
‎2021-07-22 01:12 AM
In response to Kim_Moberg

@Kim_Moberg the best way to request this is to add a feedback note to sk173416

Citing from the SK:

Can I suggest to support a specific service as an Updatable object?

Suggestions for additional Updatable objects can be submitted in the "Give us Feedback" section of the SecureKnowledge article, with the relevant information that will be rendered by R&D (who is responsible for adding new updatable objects). The most common suggestions will get highest priority:
  • Service name
  • Link to public content maintained by the vendor
  • Is it currently used in my policy?
0 Kudos
kevinds
Explorer
‎2022-04-25 01:49 AM

Censys has different and more IPs listed to Opt-Out as per,

https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning

Terri_Hawkins
Collaborator
‎2023-02-03 11:57 AM

Thank you for this post, and I used it to create a rule on my firewall to block the traffic, but can I ask why the individual urls for shodan? Could we just block .shodan.io and get all of them?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-03 12:24 PM
In response to Terri_Hawkins

Because FQDN Domain Objects cannot be used with wildcards.
You could put shodan.io into a Custom Threat Intel feed (ioc_feeds command) or in a Network Feed object (R81.20 and above).

Wolfgang
Authority
Authority
‎2023-02-04 05:00 AM
In response to Terri_Hawkins

@Terri_Hawkins use of wildcard-FQDN objects as source or destination will result in massive performance degrading, because of the needed DNS reverse lookups. See Traffic latency through Security Gateway when Access Control Policy contains non-FQDN Domain objects 

Terri_Hawkins
Collaborator
‎2023-02-06 06:36 AM
In response to Wolfgang

Thank you both very much.  I believe I have some work to do on some of my rules now.  🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events