shodan.io my next thing to block at the zoo

cashewShodan is a list of things making up the internet (brands of router etc) and some of those can be exploited.

The zoo is fairly good at security and we are not running a crappy ancient  intel pppoa modem supplied by British telecom but whenever shodan.io turn up there’s a lot probes afterwards that failtoban (my blog) have to deal with.

So the thinking is the less shodan can see or the more ancient the listings for our ranges then the harder it is for others. Its not an question of them stopping it, by all means do scan the zoo for problems but dont let me catch me doing it.

So the firewall got a new section, called shodan since i am boring and if at some stage on the future i forget why then i know what it is supposed to be after all ranges do get cleaned up.  It consists of

ip route add prohibit 188.138.9.0/24 [de plusserver.de]
ip route add prohibit 162.159.245.38 [us cloudflare]
ip route add prohibit 162.159.244.38 [us cloudflare]
ip route add prohibit 66.240.192.138 [census8.shodan.io][us cari.net]

The 162.159.24* ranges are nameservers and www,the 188.138 /24 subnet was my first range when a probe from shodan was first seen, then after that is when 66.240 turned up.

malletI kind of do /24 blocking when i see problems from a subnet so there may be friendly fire from other legitimate things which is somebody elses problem.  So maybe i am indiscriminate but i found a new range.

Maybe shodan has legitimate uses but i am not debating that but its general use leaves something to be desired.

ip route add prohibit 71.6.135.131 [us cari.net]

Also seems to identify as shodan in a grep of my logs so i guess me and shodan are going to have a bit of fun while others on shodan’s ips have a few issues.

isabellHell this is fun, i have a cron job* setup when.

188.138.1.218 [de]

Comes to my attention next which rings a few bells from above with 188.138 which i have mentioned. So i dig for the string census

census0.shodan.io. 208.180.20.97
census1 198.20.69.74
census2 198.20.69.98
census3 198.20.70.114
census4.shodan.io. 198.20.99.130
census5 93.120.27.62
census6 66.240.236.119
census7.shodan.io. 71.6.135.131
census8.shodan.io 66.240.192.138
census9.shodan.io 71.6.167.142
census10.shodan.io. 82.221.105.6
census11.shodan.io. 82.221.105.7 now 82.221.105.7
census12.shodan.io. 71.6.165.200
census13.shodan.io. 208.180.20.97
census14.shodan.io. 208.180.20.97 [duplicate]

There is a range of isp’s here and it seems complaining to cloudflare will achieve nothing as cari.net and plusserver.de do the probing.

Anyhow what you do with this information is up to you. It will probably change but if your aware of things thats not a huge problem.

updated November 2015

However i would not want to be in those ipv4 ranges.
* grep shodan /var/log/mail.log /var/log/auth.log /var/log/daemon.log

5 responses

  1. Pingback: Shodan.io changes so it is mallet time | Bananas in the Falklands

  2. Pingback: Shodan’ed – Konica Minolta bizhub C224 owners are clueless and shodan does not care | Bananas in the Falklands

  3. Pingback: Shodan.io on the loose again | Bananas in the Falklands

  4. Pingback: a shodan.io spotting in the wild. (co hosted with David Attenborough) | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s