Blocks Shodan IPs From Scanning Your Servers.

antiautosploit.py

#!/usr/bin/python3
import os

shodan = ["104.131.0.69", "104.236.198.48", "155.94.222.12","155.94.254.133", "155.94.254.143", "162.159.244.38", "185.181.102.18", "188.138.9.50", "198.20.69.74", "198.20.69.98", "198.20.70.114", "198.20.87.98", "198.20.99.130", "208.180.20.97", "209.126.110.38",  "216.117.2.180", "66.240.192.138", "66.240.219.146", "66.240.236.119", "71.6.135.131", "71.6.146.185", "71.6.158.166", "71.6.165.200", "71.6.167.142",  "82.221.105.6", "82.221.105.7", "85.25.103.50", "85.25.43.94", "93.120.27.62", "98.143.148.107",  "98.143.148.135"]

for ip in shodan:
    os.system("iptables -A INPUT -s {} -j DROP".format(ip))

@toniblyx thats true, since censys is more powerful than shodan in this matter.

This doesn't work. Just so everyone knows.

os.system("ufw deny from {}".format(ip))

for debian/ubuntu

For ufw on debian/ubuntu:
If you want block an ip for all services, you must do it before all actual rules :

os.system("ufw insert 1 deny from {}".format(ip))

ipv6 support would be a good feature.

And , you can add censys.io's ip range.
192.35.168.0/23, 162.142.125.0/24, 74.120.14.0/24, and 167.248.133.0/24
I want to collect all the IP segments of automated scanning machines. I wonder if you are interested?

66.240.205.34 is missing in the list: malware-hunter.census.shodan.io.

Another shodan ip to add:
IP: 185.163.109.66 Hostname: goldfish.census.shodan.io

Update 28 June 2021 👍

• 94.102.49.198
• 94.102.49.190
• 94.102.49.193

won't be bad idea adding them to cloudflare firewall rules

can you add zoomeye ips as well

Cencys are courteous and provide instructions to opt out, with a list of IP's to block.
https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning

I'll have to check my research notes if I have them but I had found a SHODAN server in the 66.240.236.0/24 range. It was all cloud hosting so I blocked them all but there is a SHODAN server in there somewhre.

shodoan uses shodan.io hostnames, you can check by a ptr scan of the subnet and there is one host in it:

66.240.236.119 census6.shodan.io

Just an FYI, the list of Shodan.io servers represented here is incomplete.

Here is the list I had compiled (yes, some are PTR-only records, and that is not listed here) based on this: https://wiki.ipfire.org/configuration/firewall/blockshodan

IP	Domain
188.138.9.50	atlantic.census.shodan.io
209.126.110.38	atlantic.dns.shodan.io
93.174.95.106	battery.census.shodan.io
104.236.198.48	blog.shodan.io
198.20.87.98	border.census.shodan.io
66.240.219.146	burger.census.shodan.io
198.20.69.74	census1.shodan.io
198.20.69.98	census2.shodan.io
198.20.70.114	census3.shodan.io
198.20.99.130	census4.shodan.io
93.120.27.62	census5.shodan.io
66.240.236.119	census6.shodan.io
71.6.135.131	census7.shodan.io
66.240.192.138	census8.shodan.io
71.6.167.142	census9.shodan.io
82.221.105.6	census10.shodan.io
82.221.105.7	census11.shodan.io
71.6.165.200	census12.shodan.io
94.102.49.193	cloud.census.shodan.io
80.82.77.139	dojo.census.shodan.io
94.102.49.190	flower.census.shodan.io
185.163.109.66	goldfish.census.shodan.io
104.131.0.69	hello.data.shodan.io
89.248.172.16	house.census.shodan.io
71.6.146.186	inspire.census.shodan.io
89.248.167.131	mason.census.shodan.io
71.6.158.166	ninja.census.shodan.io
159.203.176.62	ny.private.shodan.io
85.25.103.50	pacific.census.shodan.io
71.6.146.185	pirate.census.shodan.io
85.25.43.94	rim.census.shodan.io
98.143.148.107	scanner01.project25499.com
155.94.254.133	scanner02.project25499.com
155.94.254.143	scanner03.project25499.com
155.94.222.12	scanner04.project25499.com
98.143.148.135	scanner05.project25499.com
208.180.20.97	shodan.io
216.117.2.180	shodan.io
104.185.10.217	sky.census.shodan.io
80.82.77.33	sky.census.shodan.io
185.181.102.18	turtle.census.shodan.io
162.159.244.38	www.shodan.io