Shodan Monitor is a service by shodan.io that allows for monitoring of IPs, networks or domains, based on your own definitions. In my case, I use it to monitor my home network public IP, and to alert me if there is anything strange going on, like new services or any other abnormalities.
This is very useful, I get alerts both via a Slack Webhook and email, but as most residential connections I have a dynamic IP address from my ISP. It doesn’t change often, but it happens. My Shodan Monitor definition is based on an IP assignment, and all of a sudden I got notifications for things that were not present in my network. My public IP had changed, and I was now receiving alerts for someone elses network who had been assigned my old public IP. Suboptimal.
One way of solving this is setting up the monitoring to monitor a Dynamic DNS entry that gets automatically updated whenever my public IP changes. Simple enough to set up, but not nearly as fun as the solution I ended up with.
In the end I created a small bash script that runs as a scheduled cron job on a VM in my environment. In short, the script checks my public IP through the Shodan CLI and compares it with the IP address stored in a file called
shodanip.txt (The file gets created if it does not already exist). Other methods of obtaining the current public IP can be used as well, but the script utilizes the
shodan myip command to fetch it.
The script requires that you have your own Shodan API Key and that you know the Shodan Alert ID for the Monitor Asset you want to edit. To find the Shodan Alert ID either look at the URL when you edit an asset in Shodan Monitor, it’s the value shown right after monitor.shodan.io/networks/edit/ in the browser.
shodan alert list command via the Shodan CLI to get the Alert ID.
These values, and the location of the
shodanip.txt is defined in lines 8 - 11 in the script, under the heading #Variables
The Script #
Hopefully this is useful for someone else as well, at least this should save me from getting wrong alerts from Shodan whenever someone gets assigned my old public IP from my ISP. I should probably update my Dynamic DNS Update script as well.