Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Blocks Shodan IPs From Scanning Your Servers.
#!/usr/bin/python3
import os
shodan = ["104.131.0.69", "104.236.198.48", "155.94.222.12","155.94.254.133", "155.94.254.143", "162.159.244.38", "185.181.102.18", "188.138.9.50", "198.20.69.74", "198.20.69.98", "198.20.70.114", "198.20.87.98", "198.20.99.130", "208.180.20.97", "209.126.110.38", "216.117.2.180", "66.240.192.138", "66.240.219.146", "66.240.236.119", "71.6.135.131", "71.6.146.185", "71.6.158.166", "71.6.165.200", "71.6.167.142", "82.221.105.6", "82.221.105.7", "85.25.103.50", "85.25.43.94", "93.120.27.62", "98.143.148.107", "98.143.148.135"]
for ip in shodan:
os.system("iptables -A INPUT -s {} -j DROP".format(ip))
@tuxxy
Copy link

tuxxy commented Feb 1, 2018

It'd read better with a for loop and proper string formatting:

for ip in shodan:
    os.system("iptables -A INPUT -s {} -j DROP".format(ip))

@jgamblin
Copy link
Author

jgamblin commented Feb 1, 2018

@tuxxy,

Thanks.... that is much cleaner... updated. : )

@tuxxy
Copy link

tuxxy commented Feb 1, 2018

No problem. :)

@toniblyx
Copy link

toniblyx commented Feb 1, 2018

you may need also to block any traffic from censys.io/scans.io or any server that is using zmap.io, and also mrlooquer.com

@tfxrdz
Copy link

tfxrdz commented Feb 2, 2018

@toniblyx thats true, since censys is more powerful than shodan in this matter.

@Ekultek
Copy link

Ekultek commented Feb 20, 2018

This doesn't work. Just so everyone knows.

@gianpaj
Copy link

gianpaj commented Mar 29, 2018

os.system("ufw deny from {}".format(ip))

for debian/ubuntu

@magiknono
Copy link

magiknono commented Sep 10, 2018

For ufw on debian/ubuntu:
If you want block an ip for all services, you must do it before all actual rules :

os.system("ufw insert 1 deny from {}".format(ip))

@preterive
Copy link

preterive commented Dec 25, 2019

ipv6 support would be a good feature.

@yumusb
Copy link

yumusb commented Nov 12, 2020

And , you can add censys.io's ip range.
192.35.168.0/23, 162.142.125.0/24, 74.120.14.0/24, and 167.248.133.0/24
I want to collect all the IP segments of automated scanning machines. I wonder if you are interested?

@jfqd
Copy link

jfqd commented Nov 14, 2020

66.240.205.34 is missing in the list: malware-hunter.census.shodan.io.

@uiblogit
Copy link

uiblogit commented May 16, 2021

Another shodan ip to add:
IP: 185.163.109.66 Hostname: goldfish.census.shodan.io

@godgoali
Copy link

godgoali commented Jun 28, 2021

Update 28 June 2021 👍

  • 94.102.49.198
  • 94.102.49.190
  • 94.102.49.193

@urekxmazino
Copy link

urekxmazino commented Oct 12, 2021

won't be bad idea adding them to cloudflare firewall rules

@urekxmazino
Copy link

urekxmazino commented Oct 12, 2021

can you add zoomeye ips as well

@Jolly-Pirate
Copy link

Jolly-Pirate commented Jan 22, 2022

Cencys are courteous and provide instructions to opt out, with a list of IP's to block.
https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning

@webzcom
Copy link

webzcom commented May 25, 2022

I'll have to check my research notes if I have them but I had found a SHODAN server in the 66.240.236.0/24 range. It was all cloud hosting so I blocked them all but there is a SHODAN server in there somewhre.

@jfqd
Copy link

jfqd commented May 25, 2022

shodoan uses shodan.io hostnames, you can check by a ptr scan of the subnet and there is one host in it:

66.240.236.119 census6.shodan.io

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment