Notification

Icon
Error

Scanning despite exclusion - LS is scanning firewall despite not wanted

Posted: Monday, August 3, 2020 11:33:07 AM(UTC)
pskup

pskup

Member Original PosterPosts: 27
0
Like
This issue has been solved! Click here to view the solution
Hello community,

we have a hardware firewall which should not be scanned by ls.

Wherefore I excluded the device via asset type and ipadress in "Scanning Exclusions".

But every scanning turn i got three mails from my firewall about an "Failed SSH login" from a user set up for LS scanning.

Is there any other option for exclusion of SSH scanning on that device?

Thanks for your help.
Brandon
#1Brandon Member Posts: 43  
posted: 8/4/2020 3:03:46 PM(UTC)
Have you tried removing the SSH credentials from the scanning credentials settings?

Originally Posted by: pskup Go to Quoted Post
Hello community,

we have a hardware firewall which should not be scanned by ls.

Wherefore I excluded the device via asset type and ipadress in "Scanning Exclusions".

But every scanning turn i got three mails from my firewall about an "Failed SSH login" from a user set up for LS scanning.

Is there any other option for exclusion of SSH scanning on that device?

Thanks for your help.


pskup
#2pskup Member Original PosterPosts: 27  
posted: 8/4/2020 3:28:32 PM(UTC)
Hello Brandon, thanks for your answer. Yes, i deactivated it completely. That stopped the faulty scanning. But i need SSH scanning credentials for some other devices. I just want to exclude the firewall.

At the asset page LS shows an exclusion message.
"This IP address is excluded from scanning!"
But LS still scan that asset.


Originally Posted by: Brandon Go to Quoted Post
Have you tried removing the SSH credentials from the scanning credentials settings?
Bruce.B
#3Bruce.B Member Administration Posts: 561  
posted: 8/4/2020 4:27:51 PM(UTC)
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.
pskup
#4pskup Member Original PosterPosts: 27  
posted: 8/7/2020 2:59:05 PM(UTC)
I set up an IP range that excludes the firewall.

For example:
192.168.15.1 - 192.168.15.240
192.168.15.242 - 192.168.15.254
So 241, the firewall, is left out.

I still got the ssh login attempt. Interestingly some minutes after scanning is finished.

I will try some other changes next week. Thanks so long for your support.


Originally Posted by: Bruce.B Go to Quoted Post
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.


pskup
#5pskup Member Original PosterPosts: 27  
posted: 8/14/2020 7:27:08 AM(UTC)
I found out that the message was from vpn devices connected to the firewall, so i had to exclude those too. I split up all ip ranges to exclude all these single IPs. Sadly scanning targets now look a little messed up.

Maybe for further development: Excluding a single ip in "Scanning Exclusions" should exactly do this. Excluding the IP completely by splitting up the ranges without the necessity for the user to do so.

Thanks for your help.

Originally Posted by: Bruce.B Go to Quoted Post
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.


Active Discussions

Lansweeper Show attached USB devices
by  Dannnnooo   Go to last post Go to first unread
Last post: Today at 10:42:17 AM(UTC)
Lansweeper Lansweeper Ubiquiti AP Bullet Devices
by  Beta_Tester  
Go to last post Go to first unread
Last post: Today at 8:59:06 AM(UTC)
Lansweeper Report to find ScanServer 'not working'
by  Rocher Vincent   Go to last post Go to first unread
Last post: Today at 8:07:26 AM(UTC)
Lansweeper Security: HSTS Missing
by  Grey  
Go to last post Go to first unread
Last post: Yesterday at 9:36:49 PM(UTC)
Lansweeper Include custom ticket fields as email tags
by  brownscar   Go to last post Go to first unread
Last post: 9/29/2020 4:09:02 PM(UTC)
Lansweeper SSH - Keyboard Interactive Authentication
by  blackmoonwolf  
Go to last post Go to first unread
Last post: 9/29/2020 1:21:59 PM(UTC)
Lansweeper Lansweeper Dark Theme
by  blackmoonwolf   Go to last post Go to first unread
Last post: 9/29/2020 1:18:32 PM(UTC)
Lansweeper Drag and Drop Email
by  Chris Durham  
Go to last post Go to first unread
Last post: 9/29/2020 7:13:09 AM(UTC)