-
-
Save jgamblin/2928d45730543fc7ef10cf56e5a980b0 to your computer and use it in GitHub Desktop.
#!/usr/bin/python3 | |
import os | |
shodan = ["104.131.0.69", "104.236.198.48", "155.94.222.12","155.94.254.133", "155.94.254.143", "162.159.244.38", "185.181.102.18", "188.138.9.50", "198.20.69.74", "198.20.69.98", "198.20.70.114", "198.20.87.98", "198.20.99.130", "208.180.20.97", "209.126.110.38", "216.117.2.180", "66.240.192.138", "66.240.219.146", "66.240.236.119", "71.6.135.131", "71.6.146.185", "71.6.158.166", "71.6.165.200", "71.6.167.142", "82.221.105.6", "82.221.105.7", "85.25.103.50", "85.25.43.94", "93.120.27.62", "98.143.148.107", "98.143.148.135"] | |
for ip in shodan: | |
os.system("iptables -A INPUT -s {} -j DROP".format(ip)) |
For ufw on debian/ubuntu:
If you want block an ip for all services, you must do it before all actual rules :
os.system("ufw insert 1 deny from {}".format(ip))
ipv6 support would be a good feature.
And , you can add censys.io's ip range.
192.35.168.0/23, 162.142.125.0/24, 74.120.14.0/24, and 167.248.133.0/24
I want to collect all the IP segments of automated scanning machines. I wonder if you are interested?
66.240.205.34 is missing in the list: malware-hunter.census.shodan.io.
Another shodan ip to add:
IP: 185.163.109.66 Hostname: goldfish.census.shodan.io
Update 28 June 2021 👍
- 94.102.49.198
- 94.102.49.190
- 94.102.49.193
won't be bad idea adding them to cloudflare firewall rules
can you add zoomeye ips as well
Cencys are courteous and provide instructions to opt out, with a list of IP's to block.
https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning
I'll have to check my research notes if I have them but I had found a SHODAN server in the 66.240.236.0/24 range. It was all cloud hosting so I blocked them all but there is a SHODAN server in there somewhre.
shodoan uses shodan.io
hostnames, you can check by a ptr scan of the subnet and there is one host in it:
66.240.236.119 census6.shodan.io
Just an FYI, the list of Shodan.io servers represented here is incomplete.
Here is the list I had compiled (yes, some are PTR-only records, and that is not listed here) based on this: https://wiki.ipfire.org/configuration/firewall/blockshodan
IP | Domain |
---|---|
188.138.9.50 | atlantic.census.shodan.io |
209.126.110.38 | atlantic.dns.shodan.io |
93.174.95.106 | battery.census.shodan.io |
104.236.198.48 | blog.shodan.io |
198.20.87.98 | border.census.shodan.io |
66.240.219.146 | burger.census.shodan.io |
198.20.69.74 | census1.shodan.io |
198.20.69.98 | census2.shodan.io |
198.20.70.114 | census3.shodan.io |
198.20.99.130 | census4.shodan.io |
93.120.27.62 | census5.shodan.io |
66.240.236.119 | census6.shodan.io |
71.6.135.131 | census7.shodan.io |
66.240.192.138 | census8.shodan.io |
71.6.167.142 | census9.shodan.io |
82.221.105.6 | census10.shodan.io |
82.221.105.7 | census11.shodan.io |
71.6.165.200 | census12.shodan.io |
94.102.49.193 | cloud.census.shodan.io |
80.82.77.139 | dojo.census.shodan.io |
94.102.49.190 | flower.census.shodan.io |
185.163.109.66 | goldfish.census.shodan.io |
104.131.0.69 | hello.data.shodan.io |
89.248.172.16 | house.census.shodan.io |
71.6.146.186 | inspire.census.shodan.io |
89.248.167.131 | mason.census.shodan.io |
71.6.158.166 | ninja.census.shodan.io |
159.203.176.62 | ny.private.shodan.io |
85.25.103.50 | pacific.census.shodan.io |
71.6.146.185 | pirate.census.shodan.io |
85.25.43.94 | rim.census.shodan.io |
98.143.148.107 | scanner01.project25499.com |
155.94.254.133 | scanner02.project25499.com |
155.94.254.143 | scanner03.project25499.com |
155.94.222.12 | scanner04.project25499.com |
98.143.148.135 | scanner05.project25499.com |
208.180.20.97 | shodan.io |
216.117.2.180 | shodan.io |
104.185.10.217 | sky.census.shodan.io |
80.82.77.33 | sky.census.shodan.io |
185.181.102.18 | turtle.census.shodan.io |
162.159.244.38 | www.shodan.io |
os.system("ufw deny from {}".format(ip))
for debian/ubuntu