Technical Tip: How to block IoT scans from Shodan

sahmed_FTNT · ‎07-31-2024

Description

This article describes how to block IoT scans from Shodan.

Shodan uses a variety of filters to find devices, like computers, servers, routers, and firewall. Normally it uses common ports to filter and collect online data.

Scope

FortiGate.

Solution

To block access to Shodan, it is necessary to create a group address object and put the below FQDNs:

.census1.shodan.io
.census2.shodan.io
.census3.shodan.io
.census4.shodan.io
.census5.shodan.io
.census6.shodan.io
.census7.shodan.io
.census8.shodan.io
.census9.shodan.io
.census10.shodan.io
.census11.shodan.io
.census12.shodan.io
.atlantic.census.shodan.io
.pacific.census.shodan.io
.rim.census.shodan.io
.m247.ro.shodan.io
.pirate.census.shodan.io
.ninja.census.shodan.io
.border.census.shodan.io
.burger.census.shodan.io

Create an address and add all in a group as shown below:

Now, it is possible to create a Deny policy to block traffic accessing the URLs:

It is important to note that, as this is configured as a Firewall Policy, for inbound traffic, it will only affect the VIPs and not any locally hosted services (SSL VPN, Web GUI, etc.).

If the same configuration should be applied for those services, it is possible to use the same address object in a local-in policy.

See this KB article for more info: Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ...

If on a version below v7.2.3, ensure that 'match-vip' is enabled on the policy for it to be effective. See this KB article for more info: Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination

Technical Tip: How to block IoT scans from Shodan

You are leaving our website