How can I protect my internet-connected devices from discovery by Shodan?

Question

There's been a lot of buzz around this recent CNN article about Shodan, a search engine that can find and allow access to unsecured internet-connected devices.

Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

What's really noteworthy about Shodan's ability to find all of this -- and what makes Shodan so scary -- is that very few of those devices have any kind of security built into them. [...]

A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all -- all you need is a Web browser to connect to them.

It sounds to me like some of these devices have been secured ostensibly but aren't actually secure because the passwords, etc., are obvious and/or unchanged from default settings.

How can I (either as a "normal" person or a professional) take steps to prevent my devices from being accessible by crawlers like Shodan? Are there other ways to mitigate my risk of discovery by something like Shodan?

Answer 1

Shodan references publicly available machines which work like this:

Just don't do it.

Edit: analogy is relevant ! Shodan connects to machines and asks for their "banner", a publicly available text which may simply say: "to enter, use this default password: 1234". You might want to avoid people knocking at the door by the simple expedient of installing a giant squid as a guard before the door (metaphorically, a firewall), but, really, it would be much safer to configure a non-default password.

Answer 2

The Shodan project is pretty cool, but at its core isn't much more than a big honkin nmap database. The project has scanners that routinely scan the Internet and publish the findings into the database. That database is what you're searching. Since they are using standard detection routines the protections you would put in for a normal scan should protect you here.

1. Configure your firewalls appropriately. -- This means for any services you provide, restrict them as much as you can. If you only have 5 people from marketing using your web application, then there's no need for the entire world to use it. Figure out which address space marketing uses and open it up only to them. (You may also want to allow remote access solutions, but that's up to you).
2. Clean up your banners. -- Many banners, by default, give gobs of information. For instance, by default Apache httpd will tell you what version it is, what OS it's running on, what modules it has enabled, etc. This is really pretty unnecessary. Apache httpd has configuration settings to give less information, but the specifics will depend on which service you're hosting.
3. Have your firewalls silently block. By default many firewalls will send out an ICMP Destination Administratively Prohibited when it drops packets. This will let the scanner know that something exists on that port, it's just not allowed to hit it. By turning on stealth, silent, or whatever mode the connections will just time out on the scanner's end. To them this will look like the host doesn't even exist.

Answer 3

For most home users, the only internet-facing device is their router.

So, how do you secure the router from stuff like Shodan?

• Firstly, change the default password. Anyone armed with an IP scanning tool (Angry IP Scanner is the one I've tried) can find you if they input the relevant IP range and break in with the bog standard admin/admin login. What can they do if they have this access?
  • They can get the password of your broadband connection (and in some cases start stealing your bandwidth)
  • They can set up port forwarding and get to your computers/devices.
  • They can change your DNS server and redirect your browsing to their malicious clones of websites. Unless the site uses SSL, you won't be able to know that this is happening. Note that SSL on the site may not be enough -- most people wouldn't notice if they were served http versions of their favorite https sites.
  • They can just mess up your router
• Another thing to do is to disable remote management (example for Linksys routers). This hides the router's configuration pages to the outside world, so people can't get in even if they try brute forcing. (Additionally, you won't show up in an IP scan unless you have port forwarding). Note that there are some cases when you would want this option on -- I've kept it on for brief periods of time when testing stuff. But usually, there's no harm keeping it off.
• Check your port forwarding rules. Even if you fix the above two, a forwarded port translates to a direct connection to your computer. In most cases, you shouldn't have any forwarded ports. If you're a gamer, you may have a few game-specific ports. (Usually the ports are chosen so as not to interfere with some other services) Make sure nothing forwards to ports 21,22,3389. If it does, make sure your ssh/ftp/remote desktop passwords are secure (or ssh/ftp/rdp is disabled). There are probably some other ports that provide an easy way to take over the machine, but I can't think of any OTOH.

On the computer, check your firewall. Make it as restrictive as possible without breaking things.

Note that to stop Shodan specifically for a home system, you only need point 1 or 2. However, I've listed the rest as Shodan could easily improve itself to further analyze router connections.

Answer 4

So the short answer is that if you're providing a publicly available service (e.g. to the general Internet) your service has to be accessible and therefore search engines like shodan can find it, and all shodan does it to index publicly available information.

What you can do is minimize the information that shodan finds, by removing banners from accessible services and also ensuring things like default credentials are removed (standard security good practice).

Also if the service you have running doesn't need to be accessible by the whole Internet (i.e. only some people need to be able to access it), using firewalls to restrict which source IP addresses can reach the service is also an effective protection against discovery by things like Shodan.

One other theoretical protection (which I'd say is a bad approach but for completeness sake I'll mention) is that if you could find the IP address ranges that shodan uses, you could try and block it specifically.

The risks that make shodan seem "scary" are that there are a huge number of systems which have been placed on the Internet with default settings and very little thought to security. Unfortunately people who place systems on the Internet in this state are unlikely to be security aware enough to take actions like specifically blocking shodan...

One other thing to mention is that even blocking things like shodan wouldn't help you against things like the Internet Census project which happened last year. This used a large number of compromised systems to scan the whole Internet. The output of the project is available as a torrent and I'd be willing to bet that a lot of researchers and attackers are currently looking through the data for things to attack (which they'll likely find)

Answer 5

a search engine that can find and allow access to unsecured internet-connected devices.

The real question with Shodan is why these devices are internet-facing in the first place. This does not excuse the need to change the default configuration information, but leaving your printer world-accessible is just plain silly.

There is a security measure you can use against this kind of thing - VPN for remote workers, and a firewall. It's a corporate asset, so require users to actually connect to the corporate network with all of the restrictions that implies. Not doing so means you have no idea who is logging in to a device on your network. Put the device behind a firewall and have users log in.

Then, onto failing number two - this is reasonably obvious - change those defaults. Most organisations have some kind of management policy for assets and that should include managing login credentials to them especially if they're going to be on the network. The device should be configured securely.

If it isn't possible to configure the device securely because of some bug introduced by the manufacturer, then the engine is doing us a favour by exposing it - this will put pressure on these companies to fix their issues.

Finally, you can (and in my opinion should) hide information from servers e.g. Apache version strings. This will not excuse or replace a proper security configuration and diligently updated software, but there is no reason to tell the attacker everything about your system either.

Answer 6

If you have some services that you want to expose to yourself on a public IP but want to hide them from the rest of the world, you could use port knocking to hide the devices from general port scans while still making them accessible without a VPN connection to someone that knows how to knock. I have several home webcams that I occasionally want to be able to access from work, but the firewall at work won't let me initiate a VPN to my home firewall.

So, I "knock" 3 ports on my home firewall and it allows connections from the knocking IP to the cameras.

Port knocking is pretty weak security from someone determined to crack into your network since the knocks are easily sniffed (the knocks are effectively a password sent in plain text), but brute forcing the ports is nearly impossible even if an attacker knew port knocking was in use - 3 random ports give around 48 bits worth of password entropy, so it's pretty safe from a random hacker. A VPN would be more secure since it encrypts everything.

Also, since it works at the IP level, once I unlock the ports from my work IP address, everyone at work can access them since they all share the same IP address. (they are outside cameras in a DMZ that I usually use to check on the dog, so I'm not too worried about someone at work seeing them, but I don't really want the whole world to see them)

There's a lot more information on the pros/cons of portknocking here:

• Port Knocking - is it a good idea? [Stackexchange]

---

A commenter noted that 48 bits of entropy is not a lot, which is true with something like a password where if the attacker can obtain the hash, he can execute an offline attack and test millions or trillions of combinations a second. However, since any port knocking brute force attack is limited by network latency and bandwidth constraints, 48 bits is still quite a lot of entropy. To successfully brute force a password, on average you'd need to make N/2 guesses where in this case N = 2^48 so N/2 = 2^47

Each guess means sending down 3 syn packets to knock on the 3 ports, so assuming 60 bytes for a SYN packet, you'd need to send 2^47 * 3 * 60 = 2.5 x 10^16 bytes or 22 petabytes.

Using my 15mbit home internet connection, it would take 510 years to send that much data.

And that ignores the network latency, if you could send the knock and immediately test your knock with 1 msec of latency (typical real world ping latency from my home network to the first hop out of my ISP's network is 13msec), it would take 2^47 msec, or 4,000 years to brute force it.

And of course, this all assumes that you could make unlimited guesses before the port knock daemon ignores you or before I noticed that something was consuming all of my inbound bandwidth (my ISP would certainly notice and would throttle me)

And it also ignores that knowing if you had a successful knock adds entropy on its own if you don't know which port to check - my cameras listen on some non-obvious ports, so that ads another 16 bits or so of entropy.

So, as I said, port knocking is weak security since it's so easily sniffed, but it's not easily brute forced.

Answer 7

Simply ensure that your devices are secure and don't advertise their presence if they don't need to. You can use services likes Gibson research's ShieldsUp to easily check if you have ports on your network connection that are responding to services from the public internet.

If you have anything showing that doesn't need to be, disable the service and block the port on your router. If you do need the service, ensure that it is properly secured so that it can not be easily abused. There isn't much that can be done about the fact that publicly facing services that need to respond to requests will be discoverable by port scans. Trying to avoid that is kind of akin to trying to avoid someone knowing where your store is when they can simply drive down the street and look at the sign.

You can try to take down the sign (remove banners, change default ports, etc) to try and make it harder for someone to recognize what the store does (what the service is), but you can't really hide the fact there is a building on the lot (a service on the port).

Answer 8

The best defence that could ever be offered to protect against shodan scans are the same as with any other scans.

• Properly configure your software, HIPS, and firewall
• Build your servers to run within containers in mind (ie bsd jails/linux containers/windows sandboxie).
• Ensure there are no vulnerable versions of software running on the server
• Rate limit abusive connections (ie non-human initiated connections that spike in a small window)
• Eliminate any server banners being offered by your software
• Finally, Null Route all abusive IP addresses. Namely those from shodan and others listed on RBLs.

The obvious answer is the first one, up to date security suite and well configured software running with the latest security patches. While this the common norm these days it is no differently than just throwing your system out to the wolfs with a torch. All security (throughout history in the real world and virtual world) is built on layers.

If you build your system to run in a sandbox like environment then if anything goes wrong you can rollback to a working version prior to the issue and analyse what went wrong from there. This also has the added benefit of being an agile server in where if a bug is introduced for any reason, malicious or not, then you can just push back to a working version in moments and not have down time.

Simply rate limiting and eliminating banners and any other identifying traits makes it harder to enumerate the servers or gather intel which is step one in penitration.

Lastly, the null routing and use of RBLs helps wall off well known abusive IP addresses such as know malware/botnet nodes, abusive/malicious users, and Hacking-as-a-Service sites such as shodan.

If you keep to these rules then the internet is not a scary place anymore as you've already defeated the "barbarians" before they even set sites on your server.