Technical Blog Post
Abstract
ITM Nuggets: TEMS - How to detect where port scans are coming from on your network
Body
As normal, I like to blog about areas of ITM that I cover when working with you, either through PMRs or direct on customer site.
Today's series topics is all related to port scanners being run against TEMS.
If you are seeing communications issues such as suspended connections with your TEMS, then this procedure will help you identify where the non ITM connections are being sourced (sent) from.
These connections are 99 times out of a 100 a port scanner that is being run against the TEMS IP and port. This process will give you the IP address, so you can then check that server for scanners being run and create exceptions from that server scanning your TEMS going forward.
Now I need to point out to start with that their are known limitation when using port scanners and ITM. Details of this can be found here:
http://www-01.ibm.com/support/docview.wss?uid=swg21686917
What you need to do:
Set the required debug parameters:
You need to set 3 parameters on in the TEMS ms.config file
- KDC_DEBUG=Y
- KDE_DEBUG=Y
- KDEB_TRACE_ACCEPT=YES
You also need this diagnostic code patch to reveal the required information. An IBM support representative will provide this diagnostic through the PMR system
- The TEMS also needs the diagnostic IV85368
More details on diagnostic IV85368 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IV85368
Increase the log file size:
With this trace parameter set it will generate a lot of TEMS tracing so my recommendation would be to increase the size and the number of logs the TEMS will write to before they wrap around and write over themselves.
The last thing you want is to set this up, a scan runs and you don't capture the information in the logs to help identify where it came from.
Direct link to YouTube: http://ow.ly/tNLB305JImr
How to increase the number of log files on a Linux / Unix based system
Direct link to YouTube: http://ow.ly/G7i72
How to increase the number of log files on a windows based system
Collecting the logs
As soon as the problem has occurred run a PDcollect on the the TEMS in question to capture the logs, Its important you do this as soon as possible after you see an issue with communications on the TEMS. Even though we have increased the size and number of logs on the TEMS, the tracing being used will push a lot of data into the trace, so you don't want to miss the window containing the information you need.
How to run a PDCollect on a Linux / Unix based system
How to run a PDCollect on a windows based system
How to review the logs:
Search through all the RTEMS RAS1 logs for occurrences of "resuming". You will see all the messages that resume the connections via pipe/spipe.
Immediately above the resume message, you will see a message with "Accept from" followed by an ip address. That ip address is the ip address that sends the packet that resumes the connection.
Let's connect!
To follow my social updates on IBM software, please feel free to connect with me by clicking on the images below:
Find all my other blogs here:
LINK
Subscribe and follow us for all the latest information directly on your social feeds:
|
|
|
Check out all our other posts and updates: | |
Academy Blogs: | http |
Academy Videos: | http |
Academy Google+: | http |
Academy Twitter : | http |
UID
ibm11082787