List of census.shodan.io IP addresses

The shodan.io project is a “search engine for Internet-connected devices” that scans the internet for alive hosts, open ports and services, and publishes the results on its web pages.

It is an interesting project for general network and security research. If you are a network manager, it’s a nice way of knowing what your own network looks like from the outside to observers and evil attackers. Moreover, scans are frequent and you will be able to spot new devices on your network quickly.

It makes little sense to block shodan.io scans as a security measure, because security by obscurity does not work. Moreover, you are blocking only the most casual attackers and researchers that use shodan.io; clever, determined actors won’t be deterred just because there’s nothing on shodan.io about your networks.

Still, there are situations where you want to block Shodan.io from scanning your network. In this case, make sure you have an alternative way of monitoring your network from the internet, and get warnings about interesting changes.

Shodan.io does network scanning from a set of  IP addresses which all resolve to *.census.shodan.io names. Names and IPs change regularly.

Most of the IPs can be obtained from the direct resolution of the names, but some IP only reverse-resolve, i.e. the domain name points to another IP.

It seems that the people at shodan.io want to make theis scanners easily recognizable, but don’t want to make it supereasy to block them.

I collect a list of shodan.io domains and IPs that have scanned the networks I manage over the time. It contains IPs directly resolved from the *census.shodan.io domain names, plus IPs that reverse-resolve into it. The list is updated daily, I make new additions as it happens.

The list is here:

shodan-census-ips.txt

Recidives, wordpress and fail2ban

This is what happens when you configure fail2ban to ban recidives one week:

fail2ban-weekThe blue line is a wave of IP addresses probing my sites for a wordpress vulnerability and triggering wordpress-hard, the yellow line represents recidive addresses (hosts blocked more than 5 times over a week, blocked for a week).

See:

How to stop wordpress bruteforce logins with fail2ban

and

A bruteforce botnet targeting a wordpress site