Notification

Icon
Error

Scanning despite exclusion - LS is scanning firewall despite not wanted

Posted: Monday, August 3, 2020 11:33:07 AM(UTC)
pskup

pskup

Member Original PosterPosts: 27
0
Like
This issue has been solved! Click here to view the solution
Hello community,

we have a hardware firewall which should not be scanned by ls.

Wherefore I excluded the device via asset type and ipadress in "Scanning Exclusions".

But every scanning turn i got three mails from my firewall about an "Failed SSH login" from a user set up for LS scanning.

Is there any other option for exclusion of SSH scanning on that device?

Thanks for your help.
Brandon
#1Brandon Member Posts: 43  
posted: 8/4/2020 3:03:46 PM(UTC)
Have you tried removing the SSH credentials from the scanning credentials settings?

Originally Posted by: pskup Go to Quoted Post
Hello community,

we have a hardware firewall which should not be scanned by ls.

Wherefore I excluded the device via asset type and ipadress in "Scanning Exclusions".

But every scanning turn i got three mails from my firewall about an "Failed SSH login" from a user set up for LS scanning.

Is there any other option for exclusion of SSH scanning on that device?

Thanks for your help.


pskup
#2pskup Member Original PosterPosts: 27  
posted: 8/4/2020 3:28:32 PM(UTC)
Hello Brandon, thanks for your answer. Yes, i deactivated it completely. That stopped the faulty scanning. But i need SSH scanning credentials for some other devices. I just want to exclude the firewall.

At the asset page LS shows an exclusion message.
"This IP address is excluded from scanning!"
But LS still scan that asset.


Originally Posted by: Brandon Go to Quoted Post
Have you tried removing the SSH credentials from the scanning credentials settings?
Bruce.B
#3Bruce.B Member Administration Posts: 561  
posted: 8/4/2020 4:27:51 PM(UTC)
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.
pskup
#4pskup Member Original PosterPosts: 27  
posted: 8/7/2020 2:59:05 PM(UTC)
I set up an IP range that excludes the firewall.

For example:
192.168.15.1 - 192.168.15.240
192.168.15.242 - 192.168.15.254
So 241, the firewall, is left out.

I still got the ssh login attempt. Interestingly some minutes after scanning is finished.

I will try some other changes next week. Thanks so long for your support.


Originally Posted by: Bruce.B Go to Quoted Post
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.


pskup
#5pskup Member Original PosterPosts: 27  
posted: 8/14/2020 7:27:08 AM(UTC)
I found out that the message was from vpn devices connected to the firewall, so i had to exclude those too. I split up all ip ranges to exclude all these single IPs. Sadly scanning targets now look a little messed up.

Maybe for further development: Excluding a single ip in "Scanning Exclusions" should exactly do this. Excluding the IP completely by splitting up the ranges without the necessity for the user to do so.

Thanks for your help.

Originally Posted by: Bruce.B Go to Quoted Post
Scanning exclusions, especially asset type exclusions will not prevent all scanning queries from being sent. For asset type exclusions specifically this is due to the scanning logic having to first identify the asset's type, which may involve SSH queries. Scanning exclusions will prevent scanned data from being added after the exclusion is added.

If you want to be certain SSH isn't used to authenticate, I'd recommend instead modifying the IP Range scanning target that contains this device via Scanning\Scanning Targets and enabling the No SSH option. If the IP Range contains devices that you would like SSH to be used for, you'll need to split up the IP Range into multiple ranges first. Create as many smaller ranges as are necessary and delete the larger range.


Active Discussions

Lansweeper zerologin posted report
by  Antikas   Go to last post Go to first unread
Last post: Today at 9:42:54 AM(UTC)
Lansweeper Report doesn't show empty results for a field
by  AlexMZetec  
Go to last post Go to first unread
Last post: Yesterday at 3:43:08 PM(UTC)
Lansweeper Renamed Pcs / Laptops report
by  RC62N   Go to last post Go to first unread
Last post: Yesterday at 3:36:35 PM(UTC)
Lansweeper Servers without AV Report
by  Elwood472  
Go to last post Go to first unread
Last post: 9/27/2020 2:50:10 AM(UTC)
Lansweeper Adding Group by and Sum to Existing Report
by  RC62N  
Go to last post Go to first unread
Last post: 9/25/2020 3:43:49 PM(UTC)
Lansweeper Custom Fields on Report for Helpdesk Tickets
by  plangham_eurotech   Go to last post Go to first unread
Last post: 9/24/2020 2:43:41 PM(UTC)
Lansweeper September Patch Tuesday
by  Gilles B.  
Go to last post Go to first unread
Last post: 9/24/2020 7:47:49 AM(UTC)