The zoo is fairly good at security and we are not running a crappy ancient intel pppoa modem supplied by British telecom but whenever shodan.io turn up there’s a lot probes afterwards that failtoban (my blog) have to deal with.
So the thinking is the less shodan can see or the more ancient the listings for our ranges then the harder it is for others. Its not an question of them stopping it, by all means do scan the zoo for problems but dont let me catch me doing it.
So the firewall got a new section, called shodan since i am boring and if at some stage on the future i forget why then i know what it is supposed to be after all ranges do get cleaned up. It consists of
ip route add prohibit 184.108.40.206/24 [de plusserver.de]
ip route add prohibit 220.127.116.11 [us cloudflare]
ip route add prohibit 18.104.22.168 [us cloudflare]
ip route add prohibit 22.214.171.124 [census8.shodan.io][us cari.net]
The 162.159.24* ranges are nameservers and www,the 188.138 /24 subnet was my first range when a probe from shodan was first seen, then after that is when 66.240 turned up.
I kind of do /24 blocking when i see problems from a subnet so there may be friendly fire from other legitimate things which is somebody elses problem. So maybe i am indiscriminate but i found a new range.
Maybe shodan has legitimate uses but i am not debating that but its general use leaves something to be desired.
ip route add prohibit 126.96.36.199 [us cari.net]
Also seems to identify as shodan in a grep of my logs so i guess me and shodan are going to have a bit of fun while others on shodan’s ips have a few issues.
Comes to my attention next which rings a few bells from above with 188.138 which i have mentioned. So i dig for the string census
188.8.131.52 now 184.108.40.206
census14.shodan.io. 220.127.116.11 [duplicate]
There is a range of isp’s here and it seems complaining to cloudflare will achieve nothing as cari.net and plusserver.de do the probing.
Anyhow what you do with this information is up to you. It will probably change but if your aware of things thats not a huge problem.
updated November 2015
However i would not want to be in those ipv4 ranges.
* grep shodan /var/log/mail.log /var/log/auth.log /var/log/daemon.log