Updating Shodan Monitor Assets via REST API and Curl

Published by Christian Mohn · Read in about 3 min (444 words)

Shodan Monitor is a service by shodan.io that allows for monitoring of IPs, networks or domains, based on your own definitions. In my case, I use it to monitor my home network public IP, and to alert me if there is anything strange going on, like new services or any other abnormalities.

Shodan Monitor Trigger Definitions

Shodan Monitor Trigger Definitions

This is very useful, I get alerts both via a Slack Webhook and email, but as most residential connections I have a dynamic IP address from my ISP. It doesn’t change often, but it happens. My Shodan Monitor definition is based on an IP assignment, and all of a sudden I got notifications for things that were not present in my network. My public IP had changed, and I was now receiving alerts for someone elses network who had been assigned my old public IP. Suboptimal.

One way of solving this is setting up the monitoring to monitor a Dynamic DNS entry that gets automatically updated whenever my public IP changes. Simple enough to set up, but not nearly as fun as the solution I ended up with.

Description #

In the end I created a small bash script that runs as a scheduled cron job on a VM in my environment. In short, the script checks my public IP through the Shodan CLI and compares it with the IP address stored in a file called shodanip.txt (The file gets created if it does not already exist). Other methods of obtaining the current public IP can be used as well, but the script utilizes the shodan myip command to fetch it.

If the IPs match, it quits, but in all other cases it updates the shodanip.txt file with the new IP address, and then uses the Shodan REST API to update the Monitor Asset to the new value (via curl).

The script requires that you have your own Shodan API Key and that you know the Shodan Alert ID for the Monitor Asset you want to edit. To find the Shodan Alert ID either look at the URL when you edit an asset in Shodan Monitor, it’s the value shown right after monitor.shodan.io/networks/edit/ in the browser.

Alternatively use shodan alert list command via the Shodan CLI to get the Alert ID.

These values, and the location of the shodanip.txt is defined in lines 8 - 11 in the script, under the heading #Variables

The Script #

Hopefully this is useful for someone else as well, at least this should save me from getting wrong alerts from Shodan whenever someone gets assigned my old public IP from my ISP. I should probably update my Dynamic DNS Update script as well.

Post last updated on January 2, 2024: Add author


vNinja.net is the digital home of Christian Mohn and Stine Elise Larsen.

The primary focus is on IT architecture and data center technologies like virtualization and related topics, but other content also pops up from time to time.