Hello Nino, well, there is a list of known Shodan scanners available: https://wiki.ipfire.org/configuration/firewall/blockshodan
However, it seems to be outdated - I observed "dojo.census.shodan.io" (IPv4: 80.82.77.139), too. Since scanners usually try to bypass blocking attempts or rate limits, I doubt maintaining an IP list makes sense. Querying RBLs or lists of known networks hosting malware (i.e. Spamhaus DROP) probably requires less manual effort. Thanks, and best regards, Peter Müller > Hi, > > I wish to block all attempts by “shodan.io”. Basically I run an OpenBSD (6.4) > mail server using OpenSMTPD and notice quite bit of traffic all stemming from > “shodan.io". I have PF configured so I was wondering how to block such a > domain from making any attempts to connect to my server. There is little > information about Public IP addresses being used by "shodan.io" scanner, so > making an IP list for PF may be futile. > > Could someone suggest a possible option? I was thinking along the lines of > “relayd” or "squid proxy”. My server is hosted at Vultr and has a single WAN > interface with Public IP. There is no internal LAN interface. > > For those who do not know about “shodan.io”, please do a search and you will > discover what it does. > > Regards > > Nino > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq