Using Our API To Adjust iptables Rules
We are offering a simple (IMHO) API to allow you to script various queries against our databases. One dataset we offer is a list of IP addresses that are scanning the internet for exposed services. The most prominent of these services is likely Shodan. To avoid having any devices from your organization show up in Shodan, you may want to block all scans from known Shodan hosts. We do create a list of these IP addresses and update it daily. The respective API query to retrieve the list is:
https://isc.sans.edu/api/threatlist/shodan/
By default, the list is returned as XML. But it is pretty easy to change the format. All you need to do is add ?json, ?text ... This will make processing with simple scripts rather easy. The "text" format is probably easiest to process with shell tools, but just in case the format is changing later in some subtle way, it is probably safest to use JSON and have the "jq" utility parse it:
curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"'
This will return a list of all the IP addresses. To use this in iptables, I would recommend setting up a new table. Something like:
iptables -F shodan
iptables -A shodan -j RETURN
for ip in `curl -A "myemailadress" -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"'`
do
echo $ip
if [[ $ip =~ ^[0-9\.]+$ ]]
then
iptables -A shodan -s $ip -j LOGDROP
else
echo "Bad IP Address. Aborting."
exit
fi
done
iptables -D shodan 1
"LOGDROP is a table that will log the packet and drop it. You could also just drop it here, but this would be a bit dangerous as you wouldn't see these dropped packets in your logs which makes debugging problems extra fun.
For a full list of our API functions, see https://isc.sans.edu/api . Please note to use your e-mail address as a user agent. We do not require authentication, but if your script causes issues, then it would be nice if we can check with you vs. just block you.
Of course, test carefully and use at your own risk.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | .ipv4' | tr -d '"'
Anonymous
Dec 8th 2017
7 years ago
Anonymous
Dec 8th 2017
7 years ago
Anonymous
Dec 9th 2017
7 years ago
curl -s https://isc.sans.edu/api/threatlist/shodan?text | grep -F ipv4 | grep -oP '\d+\.\d+\.\d+\.\d+'
PS: Would you consider adding a "?list" output format to save us a step?
Anonymous
Dec 11th 2017
7 years ago
Anonymous
Dec 20th 2017
7 years ago
Anonymous
Dec 20th 2017
7 years ago