Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion
Champion

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

Protect your environment against all those internet IoT port scanners / web crawlers that scan your network devices to collect all kind of data. Simply create a drop rule and put it on the beginning of your security policy. Create a network group for each of these scanners and fill it with the data listed below.

Supported scanners:

Sample rule:

image.png

Group contents:

  • Shodan --> create domain objects with FQDN enabled!
    • .census1.shodan.io
    • .census2.shodan.io
    • .census3.shodan.io
    • .census4.shodan.io
    • .census5.shodan.io
    • .census6.shodan.io
    • .census7.shodan.io
    • .census8.shodan.io
    • .census9.shodan.io
    • .census10.shodan.io
    • .census11.shodan.io
    • .census12.shodan.io
    • .atlantic.census.shodan.io
    • .pacific.census.shodan.io
    • .rim.census.shodan.io
    • .m247.ro.shodan.io
    • .pirate.census.shodan.io
    • .ninja.census.shodan.io
    • .border.census.shodan.io
    • .burger.census.shodan.io
    • .house.census.shodan.io
    • .mason.census.shodan.io
    • .turtle.census.shodan.io
    • .goldfish.census.shodan.io
    • .flower.census.shodan.io
    • .dojo.census.shodan.io
    • .cloud.census.shodan.io
    • .sky.census.shodan.io
    • .inspire.census.shodan.io
    • .battery.census.shodan.io
  • Censys
    • 74.120.14.0/24
    • 162.142.125.0/24
    • 167.248.133.0/24
    • 192.35.168.0/23
  • Shadowserver
    • 64.62.202.96/27
    • 66.220.23.112/29
    • 74.82.47.0/26
    • 184.105.139.64/26
    • 184.105.143.128/26
    • 184.105.247.192/26
    • 216.218.206.64/26
    • 141.212.0.0/16
  • PAN Expanse
    • 144.86.173.0/24
  • Others

Additional info:

Adding such a drop rule on top of your access control rulebase helps raising the baseline security level of your overall firewall security policy. Other free methods to raise it even more are:

8 Replies
_Val_
Admin
Admin

Nice one Danny!

0 Kudos
Kim_Moberg
Advisor

Great work Danny.

Would have been nice if Check Point could add those hosts as dynamic objects so it would be automatically updated when any of the scanners changes ip subnets

Best Regards
Kim
_Val_
Admin
Admin

@Kim_Moberg the best way to request this is to add a feedback note to sk173416

Citing from the SK:

Can I suggest to support a specific service as an Updatable object?

Suggestions for additional Updatable objects can be submitted in the "Give us Feedback" section of the SecureKnowledge article, with the relevant information that will be rendered by R&D (who is responsible for adding new updatable objects). The most common suggestions will get highest priority:
  • Service name
  • Link to public content maintained by the vendor
  • Is it currently used in my policy?
0 Kudos
kevinds
Explorer

Censys has different and more IPs listed to Opt-Out as per,

https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning

Terri_Hawkins
Contributor

Thank you for this post, and I used it to create a rule on my firewall to block the traffic, but can I ask why the individual urls for shodan? Could we just block .shodan.io and get all of them?

0 Kudos
PhoneBoy
Admin
Admin

Because FQDN Domain Objects cannot be used with wildcards.
You could put shodan.io into a Custom Threat Intel feed (ioc_feeds command) or in a Network Feed object (R81.20 and above).

Wolfgang
Mentor
Mentor

@Terri_Hawkins use of wildcard-FQDN objects as source or destination will result in massive performance degrading, because of the needed DNS reverse lookups. See Traffic latency through Security Gateway when Access Control Policy contains non-FQDN Domain objects 

Terri_Hawkins
Contributor

Thank you both very much.  I believe I have some work to do on some of my rules now.  🙂

0 Kudos