cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pskup
Engaged Sweeper III
Hello community,

we have a hardware firewall which should not be scanned by ls.

Wherefore I excluded the device via asset type and ipadress in "Scanning Exclusions".

But every scanning turn i got three mails from my firewall about an "Failed SSH login" from a user set up for LS scanning.

Is there any other option for exclusion of SSH scanning on that device?

Thanks for your help.
1 ACCEPTED SOLUTION
Bruce_B
Lansweeper Alumni
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.

View solution in original post

5 REPLIES 5
Bruce_B
Lansweeper Alumni
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.
pskup
Engaged Sweeper III
I found out that the message was from vpn devices connected to the firewall, so i had to exclude those too. I split up all ip ranges to exclude all these single IPs. Sadly scanning targets now look a little messed up.

Maybe for further development: Excluding a single ip in "Scanning Exclusions" should exactly do this. Excluding the IP completely by splitting up the ranges without the necessity for the user to do so.

Thanks for your help.

Bruce.B wrote:
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.


pskup
Engaged Sweeper III
I set up an IP range that excludes the firewall.

For example:
192.168.15.1 - 192.168.15.240
192.168.15.242 - 192.168.15.254
So 241, the firewall, is left out.

I still got the ssh login attempt. Interestingly some minutes after scanning is finished.

I will try some other changes next week. Thanks so long for your support.


Bruce.B wrote:
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.


brandon_jones
Champion Sweeper III
Have you tried removing the SSH credentials from the scanning credentials settings?

pskup wrote:
Hello community,

we have a hardware firewall which should not be scanned by ls.

Wherefore I excluded the device via asset type and ipadress in "Scanning Exclusions".

But every scanning turn i got three mails from my firewall about an "Failed SSH login" from a user set up for LS scanning.

Is there any other option for exclusion of SSH scanning on that device?

Thanks for your help.


pskup
Engaged Sweeper III
Hello Brandon, thanks for your answer. Yes, i deactivated it completely. That stopped the faulty scanning. But i need SSH scanning credentials for some other devices. I just want to exclude the firewall.

At the asset page LS shows an exclusion message.
"This IP address is excluded from scanning!"
But LS still scan that asset.


Brandon wrote:
Have you tried removing the SSH credentials from the scanning credentials settings?