How to block Shodan scanners

Shodan is a search engine which does not index web sites or web contents, but vulnerable devices on the internet. To set up this index and to keep it up to date, Shodan uses at least 16 scanners with different AS numbers and different physical locations.

In case you want to block those scanners, this guide might help.

Set up host definitions

First, set up host definitions in the firewall menu and put in the following hosts (it might be useful to put in the rDNS name as a hostname):

Known Shodan scanners (last updated 2022-02-16)

rDNS nameIP addressLocation
shodan.io ((it is unclear if this is a scanner IP))208.180.20.97US
census1.shodan.io198.20.69.74US
census2.shodan.io198.20.69.98US
census3.shodan.io198.20.70.114US
census4.shodan.io198.20.99.130NL
census5.shodan.io93.120.27.62RO
census6.shodan.io66.240.236.119US
census7.shodan.io71.6.135.131US
census8.shodan.io66.240.192.138US
census9.shodan.io71.6.167.142US
census10.shodan.io82.221.105.6IS
census11.shodan.io82.221.105.7IS
census12.shodan.io71.6.165.200US
atlantic.census.shodan.io188.138.9.50DE
pacific.census.shodan.io85.25.103.50DE
rim.census.shodan.io85.25.43.94DE
pirate.census.shodan.io71.6.146.185US
ninja.census.shodan.io71.6.158.166US
border.census.shodan.io198.20.87.98US
burger.census.shodan.io66.240.219.146US
atlantic.dns.shodan.io209.126.110.38US
blog.shodan.io ((it is unclear if this is a scanner IP))104.236.198.48US
hello.data.shodan.io104.131.0.69US
www.shodan.io ((it is unclear if this is a scanner IP))162.159.244.38US

The additional following entries have been added on September, 2019:

rDNS nameIP addressLocation
battery.census.shodan.io93.174.95.106SC
cloud.census.shodan.io94.102.49.193SC
dojo.census.shodan.io80.82.77.139SC
flower.census.shodan.io (PTR only)94.102.49.190SC
goldfish.census.shodan.io185.163.109.66RO
house.census.shodan.io89.248.172.16SC
inspire.census.shodan.io (PTR only)71.6.146.186US
mason.census.shodan.io89.248.167.131SC
ny.private.shodan.io159.203.176.62US
turtle.census.shodan.io (PTR only)185.181.102.18RO
sky.census.shodan.io80.82.77.33SC
shodan.io (PTR only)216.117.2.180US

The additional following entries have been added on February, 2022:

rDNS nameIP addressLocation
einstein.census.shodan.io71.6.199.23US
hat.census.shodan.io185.142.236.34NL
red.census.shodan.io185.165.190.34US
soda.census.shodan.io71.6.135.131US
wine.census.shodan.io185.142.236.35NL

The additional following entries have been added on 21st September, 2022:

rDNS nameIP addressLocation
wall.census.shodan.io66.240.219.133US
floss.census.shodan.io143.198.225.197US
dog.census.shodan.io137.184.95.216US
draft.census.shodan.io64.227.90.185US
can.census.shodan.io143.198.238.87US
pack.census.shodan.io137.184.190.205US
jug.census.shodan.io137.184.112.192US
elk.census.shodan.io137.184.190.188US
tab.census.shodan.io167.172.219.157US
buffet.census.shodan.io143.110.239.2US
deer.census.shodan.io143.198.68.20US

The additional following entries have been added on 30th September, 2022:

rDNS nameIP addressLocation
sparkle.census.shodan.io137.184.190.194US
fish.census.shodan.io137.184.190.246US
heimdal.scan6x.shodan.io (PTR only)137.184.9.17US
gravy.scanf.shodan.io (PTR only)137.184.13.100US
scanme.scanf.shodan.io (PTR only)137.184.94.133US
frame.census.shodan.io (PTR only)137.184.112.103US
collector.chrono.shodan.io (PTR only)137.184.180.190US
ships.data.shodan.io143.198.50.234US

The additional following entries have been added on 30th September, 2022. These were obtained by using the above IP addresses and then scanning any /16 subnet with more than one IP address in it. They have not necessarily been seen scanning. Note the the same rDNS record can be returned by multiple IPs:

rDNS nameIP addressLocation
green.census.shodan.io185.142.236.36NL
blue.census.shodan.io185.142.236.40NL
guitar.census.shodan.io185.142.236.41NL
blue2.census.shodan.io185.142.236.43NL
red2.census.shodan.io185.142.239.16NL
census2.shodan.io198.20.69.96/29US
census3.shodan.io198.20.70.112/29US
border.census.shodan.io198.20.87.96/29US
census4.shodan.io198.20.99.128/29NL
malware-hunter.census.shodan.io66.240.205.34US
refrigerator.census.shodan.io71.6.146.130US
board.census.shodan.io71.6.147.198US
tesla.census.shodan.io71.6.147.254US
thor.data.shodan.io71.6.150.153US
grimace.data.shodan.io71.6.167.125US
house.census.shodan.io89.248.172.7NL

Sources: own research, log reviews.

Contributor Note!
if you DROP ranges that were in the notorious “AS29073 Quasi Networks LTD” already, you’re already banning the “SC” (Seychelles) sources detailed above; those ranges have been inherited by AS202425. “AS9009 M247 Ltd” contributes to most of the “RO” (Romania) sources; furtherly M247 (AS9009) seem to be the exit point of most NordVPN/pureVPN and many low cost script-kiddies VPN. Firewalling them is usefull for `quietness. Interactions between shodan and m247 seems to be very close.

You might add a comment to each host, such as “scanner” or “shodan” to make clear why you added those.

It is possible to block other common scanners here, too. However, please keep in mind that this isn’t a technique which is very scalable. Please consider running an IPS, if possible.

Project 25499 scanners (last updated 2016-02-28)

rDNS nameIP addressLocation
scanner01.project25499.com98.143.148.107US
scanner02.project25499.com155.94.254.133US
scanner03.project25499.com155.94.254.143US
scanner04.project25499.com155.94.222.12US
scanner05.project25499.com98.143.148.135US

Source: http://project25499.com/

Set up firewall group

Second, set up a firewall group and add all those host entries to it. Add a title and a comment to this firewall group. In this guide, we assume you have named the group “shodanscanners”.

Set up firewall rule

Third, create a new firewall rule. Set the “shodanscanners” group as source. For destination, use “standard networks” and set this to “any”. Set “rule action” to “drop”.

The setting “reject” is not recommended here, since the firewall will send an ICMP status message to the host(s) which triggered the firewall rule. By this, however, the host knows that there is something which at least sends ICMP errors back. To avoid this, “drop” is suitable because the network packets will be dropped silently and there is no way of telling (without additional scans) wether the target IP address is just down or drops network packages.

Enter a comment, if you want to and hit “add” to set the new firewall rule.

Please make sure that this rule is placed before rules which accept something (i.e. port forwarding rules) so that shodan scan traffic will be blocked instantly.

Reload the firewall engine to apply the new rule.

Limitations of this rule

The OpenVPN service will not be protected – OVPNINPUT firewall chain is above the chain where this rule will land.

Limitations of this guide

Nobody (and nothing) is perfect. This guide isn’t either. 😉

For example, if the IP addresses of the Shodan scanners change, your firewall rule will be probably useless and does not provide any protection against the scanners any more. Consider setting up an IPS for additional protection since some rules there will also block other scanners which are not mentioned here.

Blocking Shodan scanner is fine, but I want to block all scanners
This is basically possible. However, it is a nightmare to set up a firewall host group which covers all IPs which belong to scanners. (And it is also a nightmare to find out those IP addresses since most scanners do not just put them on their web sites…) In case you are thinking similar, setting up an IPS in combination with suitable rules (this is just one example, there are many out there) might be a solution for you.

Source :
https://wiki.ipfire.org/configuration/firewall/blockshodan