The following query will list all targets that iQSonar was unable to log in to, which we suspect are running Linux or a Unix-type OS
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
SELECT p.Name as Project
, TargetName
, HostnameOrIP
, SuspectedOrScannedOS
, Status
, Reason
FROM [history].[v_DiagnosticsDeviceList] vDDL
INNER JOIN config.t_Project p ON vDDL.ProjectID = p.ProjectID
WHERE Reason = 'Access Denied'
-- ==== Change This ==== --
AND vDDL.ProjectID = 1
-- --------------------- --
AND SuspectedOrScannedOS in (
'Unix', 'CentOS', 'Linux',
'Debian', 'Fedora', 'RedHat Linux 9',
'RedHat Enterprise Linux', 'Oracle Linux Server',
'SunOS','SUSE Linux Enterprise','Ubuntu'
) |
Not all Unix/Linux hosts are detected on the first pass. To find
List targets and the attempted credentials
The following queries will list the targets and the credentials which failed. These queries work on older versions of iQSonar.
Info |
---|
These queries work with iQSonar releases up to and including Fu R3. Changes were made to some underlying tables in Gwynn R1 and Gwynn R2 to reduce the amount of history saved as the diagnostic information can grow. In the Gwynn R3 release the option to preserve or delete this diagnostic can be selected in the user interface. Instructions on how to keep the history data can be found on this page. |
The ScanEngine typically logs into Unix/Linux hosts using the SSH protocol (which is usually on port 22).
Login failures using the SSH protocol are indicative of credential problems (wrong login id, wrong password, account without permission to login from given IP Address, and so forth)
...
. To find hosts that can not be scanned for non-credential reasons, this query might help instead.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| --SSH Login Failure
| |||||||
WITH unscanned AS ( SELECT DISTINCT [HostnameOrIP] FROM [history].[v_DiagnosticsDeviceList] WHERE Status = 'Unscanned' -- === Change this line ==== -- AND ProjectID = 1 -- ========================= -- AND SuspectedOrScannedOS NOT LIKE '%Window%' -- explicitly exclude targets we think are running Windows ) SELECT jobProj.ProjectID , p.Name AS Protocol , o.Name AS Outcome , ch.AttemptDate , ch.IPAddress , ch.Port , c.label as Credential , ch.Message FROM history.t_connectionhistory ch INNER JOIN jobs.t_JobLocationProjectIPRange AS jobProj ON jobProj.JobID = ch.JobID INNER JOIN config.t_Protocol p ON ch.ProtocolID = p.ProtocolID INNER JOIN config.t_Outcome o ON o.OutcomeID = ch.OutcomeID INNER JOIN config.t_Credential c ON c.CredentialID = CH.CredentialID WHERE ch.ProtocolID =2 AND ch.OutcomeID = 3 AND ch.IPAddress IN (SELECT HostnameOrIP FROM unscanned) -- === Change this line ==== -- AND jobProj.ProjectID = 41 -- ========================= -- ORDER BY AttemptDate DESC |
...