Hello Nino,
well, there is a list of known Shodan scanners available:
https://wiki.ipfire.org/configuration/firewall/blockshodan
However, it seems to be outdated - I observed "dojo.census.shodan.io"
(IPv4: 80.82.77.139), too.
Since scanners usually try to bypass blocking attempts or
rate limits, I doubt maintaining an IP list makes sense.
Querying RBLs or lists of known networks hosting malware
(i.e. Spamhaus DROP) probably requires less manual effort.
Thanks, and best regards,
Peter Müller
> Hi,
>
> I wish to block all attempts by “shodan.io”. Basically I run an OpenBSD (6.4)
> mail server using OpenSMTPD and notice quite bit of traffic all stemming from
> “shodan.io". I have PF configured so I was wondering how to block such a
> domain from making any attempts to connect to my server. There is little
> information about Public IP addresses being used by "shodan.io" scanner, so
> making an IP list for PF may be futile.
>
> Could someone suggest a possible option? I was thinking along the lines of
> “relayd” or "squid proxy”. My server is hosted at Vultr and has a single WAN
> interface with Public IP. There is no internal LAN interface.
>
> For those who do not know about “shodan.io”, please do a search and you will
> discover what it does.
>
> Regards
>
> Nino
>
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
