Shodan Monitor is a service by shodan.io that allows for monitoring of IPs, networks or domains, based on your own definitions. In my case, I use it to monitor my home network public IP, and to alert me if there is anything strange going on, like new services or any other abnormalities.
This is very useful, I get alerts both via a Slack Webhook and email, but as most residential connections I have a dynamic IP address from my ISP. It doesn’t change often, but it happens. My Shodan Monitor definition is based on an IP assignment, and all of a sudden I got notifications for things that were not present in my network. My public IP had changed, and I was now receiving alerts for someone elses network who had been assigned my old public IP. Suboptimal.
One way of solving this is setting up the monitoring to monitor a Dynamic DNS entry that gets automatically updated whenever my public IP changes. Simple enough to set up, but not nearly as fun as the solution I ended up with.
Description#
In the end I created a small bash script that runs as a scheduled cron job on a VM in my environment. In short, the script checks my public IP through the Shodan CLI and compares it with the IP address stored in a file called shodanip.txt (The file gets created if it does not already exist). Other methods of obtaining the current public IP can be used as well, but the script utilizes the shodan myip command to fetch it.
If the IPs match, it quits, but in all other cases it updates the shodanip.txt file with the new IP address, and then uses the Shodan REST API to update the Monitor Asset to the new value (via curl).
The script requires that you have your own Shodan API Key and that you know the Shodan Alert ID for the Monitor Asset you want to edit. To find the Shodan Alert ID either look at the URL when you edit an asset in Shodan Monitor, it’s the value shown right after monitor.shodan.io/networks/edit/ in the browser.
Alternatively use shodan alert list command via the Shodan CLI to get the Alert ID.
These values, and the location of the shodanip.txt is defined in lines 8 - 11 in the script, under the heading #Variables
The Script#
| # Script to update a given Shodan Alert with new public IP, if the IP has changed | |
| # v0.5 — Christian Mohn | vNinja.net | |
| #!/bin/bash | |
| # Variables | |
| MYIPFILE="shodanip.txt" # The file where you keep your current public IP | |
| MYIP=`shodan myip` # Get public IP through Shodan CLI and store it in the $MYIP variable | |
| SHODANALERTID="XXXXXXXXXXXXXXXX" # Shodan Alert ID — NB! Replace with your own | |
| SHODANAPIKEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # Shodan API Key — NB! Replace with your own | |
| if test -f "$MYIPFILE"; then | |
| # $MYIPFILE exists | |
| read -r STOREDIP<$MYIPFILE # Read first line of $MYIPFILE and store it in #STOREDIP | |
| if [ $MYIP = $STOREDIP ] | |
| then | |
| echo "Public IP matches current value $MYIP. \nShodan AlertID: $SHODANALERTID not updated." | |
| else | |
| echo "Public IP does not match IP in file.\nUpdating Shodan AlertID: $SHODANALERTID." | |
| echo "$MYIP" > $MYIPFILE | |
| # Run CURL to update Shodan REST API | |
| curl -X POST "https://api.shodan.io/shodan/alert/$SHODANALERTID?key=$SHODANAPIKEY" --silent -H 'Content-Type: application/json' -d' | |
| { | |
| "filters": { | |
| "ip": [ | |
| "'$MYIP'" | |
| ] | |
| } | |
| } | |
| ' > /dev/null | |
| fi | |
| else | |
| # File does not exist | |
| echo "$MYIPFILE does not exist. Creating file." | |
| echo "$MYIP" > $MYIPFILE | |
| echo "Current public IP: $MYIP" | |
| echo "$MYIP" > $MYIPFILE | |
| echo "Updating Shodan AlertID: $SHODANALERTID." | |
| # Run CURL to update Shodan REST API | |
| curl -X POST "https://api.shodan.io/shodan/alert/$SHODANALERTID?key=$SHODANAPIKEY" --silent -H 'Content-Type: application/json' -d' | |
| { | |
| "filters": { | |
| "ip": [ | |
| "'$MYIP'" | |
| ] | |
| } | |
| } | |
| ' > /dev/null | |
| fi |
Hopefully this is useful for someone else as well, at least this should save me from getting wrong alerts from Shodan whenever someone gets assigned my old public IP from my ISP. I should probably update my Dynamic DNS Update script as well.