Ensure Any Public Addresses Are Listed in Shodan (Using Shodan API) : iCompaas Support

Profile Applicability:

Level 2

Description:

Public IP addresses assigned to your cloud infrastructure should be regularly checked against Shodan, a popular internet-wide scanning service, to detect if they are exposed and what services or vulnerabilities are associated with them. This check helps identify unintended exposure and potential security risks.

Rationale:

Visibility: Shodan indexes public-facing devices and services, revealing exposed ports, services, banners, and vulnerabilities.
Risk Mitigation: Identifying if your IP addresses appear on Shodan allows you to assess the risk of exposure and remediate any unintended publicly accessible services.
Continuous Monitoring: Regular checks with the Shodan API help maintain a secure attack surface by proactively identifying exposures.

Impact:

Helps you detect if your public IPs are exposed and indexed on the internet.
Enables timely remediation of exposed services or misconfigurations.
No direct impact on infrastructure but may reveal critical security gaps.

Default Value:

No automatic monitoring by default; requires active integration with the Shodan API.

Prerequisites:

Shodan API Key (requires a Shodan account and API subscription).
List of public IP addresses to be scanned.
Environment with internet access to query the Shodan API.
Optional: scripting environment (Python, Bash, etc.) to automate queries.

Test Plan:

Collect Public IP Addresses:
- Retrieve all public IP addresses used by your cloud infrastructure (e.g., via AWS, GCP, Azure CLI or console).

Query Shodan API for Each IP:

Use the Shodan API to check if an IP is indexed. For example, using curl:

curl "https://api.shodan.io/shodan/host/[IP_ADDRESS]?key=[YOUR_API_KEY]"

Replace [IP_ADDRESS] with the actual public IP.
Replace [YOUR_API_KEY] with your Shodan API key.

Analyze the API Response:
- If the IP is found, Shodan returns details about the host, open ports, services, and vulnerabilities.
- If the IP is not found, you receive a "404 Not Found" response.
Automate Scanning:
- Write scripts to iterate over your list of public IPs and query Shodan API.
- Aggregate results for review.

Example Python Script:

import requests
SHODAN_API_KEY = 'YOUR_API_KEY'
public_ips = ['1.2.3.4', '5.6.7.8'] # Replace with your IP list
for ip in public_ips: url = f"https://api.shodan.io/shodan/host/{ip}?key={SHODAN_API_KEY}" response = requests.get(url) if response.status_code == 200: print(f"IP {ip} is found in Shodan!") data = response.json() print(f"Open Ports: {[service['port'] for service in data.get('data', [])]}") print(f"Vulnerabilities: {data.get('vulns', 'None')}") elif response.status_code == 404: print(f"IP {ip} not found in Shodan.") else: print(f"Error querying IP {ip}: {response.status_code}")

Remediation Steps:

For any public IP found in Shodan:
- Review the exposed services and ports.
- Harden or disable unnecessary services.
- Implement firewall rules or network ACLs to restrict unwanted access.
- Patch any detected vulnerabilities.
Schedule regular scans to keep track of exposure.

Backout Plan:

No direct impact on infrastructure from the scan.
If automated scans cause rate limits or API issues, reduce frequency or batch size.
If any remediation affects business operations, roll back changes following your change management process.

References:

Shodan API Documentation
Using Shodan to Find Exposed Devices
Google Cloud CLI to Retrieve Public IPs

Ensure Any Public Addresses Are Listed in Shodan (Using Shodan API) Print