Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


The ScanEngine typically logs into Unix/Linux hosts using the SSH protocol (which is usually on port 22).

Login failures using the SSH protocol are indicative of credential problems (wrong login id, wrong password, account without permission to login from given IP Address, and so forth). To find hosts that can not be scanned for non-credential reasons, this query might help instead.

SSH Connection Failure (Per Project)

Note that this query will list ALL login failures for a project - helpful when determining if your credentials are in the wrong order as well as finding hosts you cannot log in to. Getting your credentials in the correct order (i.e. minimizing failed login attempts) will reduce the risk of locking out an account and also speed up the scan.following query will list all targets that iQSonar was unable to log in to, which we suspect are running Linux or a Unix-type OS


Code Block
languagesql
themeMidnight
titleProtocol 2 is SSH
--SSH Login Failure
SELECT jobProj.ProjectID
      , p.Name AS Protocol
	  , o.Name AS Outcome
	  , ch.AttemptDate
	  , ch.IPAddress
	  , ch.Port
	  , c.label as Credential
	  , ch.Message
FROM history.t_connectionhistory ch
  INNER JOIN jobs.t_JobLocationProjectIPRange AS jobProj ON jobProj.JobID = ch.JobID
  INNER JOIN config.t_Protocol p ON ch.ProtocolID = p.ProtocolID
  INNER JOIN config.t_Outcome o ON o.OutcomeID = ch.OutcomeID
  INNER JOIN config.t_Credential c ON c.CredentialID = CH.CredentialID
WHERE ch.ProtocolID=2 
  AND ch.OutcomeID = 3 
-- === Change this line ==== --
   AND jobProj.ProjectID = 1
-- ========================= --
ORDER BY AttemptDate DESC

...

List Unix hosts with Access Denied error
SELECT p.Name as Project
     , TargetName
     , HostnameOrIP
     , SuspectedOrScannedOS
     , Status
     , Reason
FROM [history].[v_DiagnosticsDeviceList] vDDL
  INNER JOIN config.t_Project p ON vDDL.ProjectID = p.ProjectID
WHERE Reason = 'Access Denied'
  -- ==== Change This ==== --
  AND vDDL.ProjectID = 1
  -- --------------------- --
  AND SuspectedOrScannedOS in ( 
		'Unix', 'CentOS', 'Linux', 
		'Debian', 'Fedora', 'RedHat Linux 9', 
		'RedHat Enterprise Linux', 'Oracle Linux Server',
		'SunOS','SUSE Linux Enterprise','Ubuntu'
		)

Not all Unix/Linux hosts are detected on the first pass. To find

List targets and the attempted credentials

The following queries will list the targets and the credentials which failed. These queries work on older versions of iQSonar.


Info

These queries work with iQSonar releases up to and including Fu R3.

Changes were made to some underlying tables in Gwynn R1 and Gwynn R2 to reduce the amount of history saved as the diagnostic information can grow. In the Gwynn R3 release the option to preserve or delete this diagnostic can be selected in the user interface. Instructions on how to keep the history data can be found on this page.


The ScanEngine typically logs into Unix/Linux hosts using the SSH protocol (which is usually on port 22).

Login failures using the SSH protocol are indicative of credential problems (wrong login id, wrong password, account without permission to login from given IP Address, and so forth). To find hosts that can not be scanned for non-credential reasons, this query might help instead.

Code Block
languagesql
themeMidnight
titleSSH Failures for unscanned hosts
WITH unscanned AS (
	SELECT DISTINCT [HostnameOrIP]
	FROM [history].[v_DiagnosticsDeviceList]
	WHERE Status = 'Unscanned'
  -- === Change this line ==== --
	  AND ProjectID = 1
  -- ========================= --
    AND SuspectedOrScannedOS NOT LIKE '%Window%'  -- explicitly exclude targets we think are running Windows
)
SELECT jobProj.ProjectID
      , p.Name AS Protocol
	  , o.Name AS Outcome
	  , ch.AttemptDate
	  , ch.IPAddress
	  , ch.Port
	  , c.label as Credential
	  , ch.Message
FROM history.t_connectionhistory ch
  INNER JOIN jobs.t_JobLocationProjectIPRange AS jobProj ON jobProj.JobID = ch.JobID
  INNER JOIN config.t_Protocol p ON ch.ProtocolID = p.ProtocolID
  INNER JOIN config.t_Outcome o ON o.OutcomeID = ch.OutcomeID
  INNER JOIN config.t_Credential c ON c.CredentialID = CH.CredentialID
WHERE ch.ProtocolID =2
  AND ch.OutcomeID = 3 
  AND ch.IPAddress IN (SELECT HostnameOrIP FROM unscanned)
-- === Change this line ==== --
   AND jobProj.ProjectID = 1
-- ========================= --
ORDER BY AttemptDate DESC

...