ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral DiscussionPort Scanner

Post new topicReply to topic
Port Scanner View previous topic :: View next topic
Author Message
Ganford
PostPosted: Wed Sep 02, 2020 4:33 am Post subject: Reply with quote

Novice

Joined: 09 Aug 2011
Posts: 22

EddieA wrote:
My guess is that Nessus is trying to determine exactly what is listening to that port, and is confused. It thinks MQSeries is SSL.

Cheers,


Hi, does somebody maybe know how it really looks like between vulnerability scanner and IBM MQ? I am currently getting lot of errorx by generic scanner features on mq. Also many FDC files are always created. By asking IBM and checking option, I have not really ways to fix this behavior on MQ side.

Still I would be great for any other option. Currently I am asking architects to stop vulnerability scanner towards MQ or at least disable generic scan, but maybe there other way around.

The scanner is initiated also from local and over LB, so I am not able to distinguish it from other real production connections.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Sep 02, 2020 4:48 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26042
Location: Texas, USA

Ganford wrote:
I have not really ways to fix this behavior on MQ side.


No, you don't. MQ thinks anything coming in on it's port is a connection attempt from another MQ component, and throws an FDC because it's not a valid MQ handshake.

Ganford wrote:
Currently I am asking architects to stop vulnerability scanner towards MQ or at least disable generic scan


That's the only effective way; to "white-list" the open MQ port in the scanner.

My own experience is similar, but I was blessed that queue manager errors and FDC files automatically raised a trouble ticket. One of my minions did something Javascript-ish to identify which tickets were the result of the port scan (originating IP address? Source connection name? Tarot cards?) and automatically reassign them to the security team for closure.

They stopped the scan about 2 weeks later. Turned out they'd been getting grief from the database people for years about the same problem, so there was happiness for all.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Sep 02, 2020 4:13 pm Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7623

You want to use AMQ_NO_BAD_COMMS_DATA_FDCS.
It keeps MQ from generating FDCs when scanners hit it.

https://www.ibm.com/support/pages/apar/IT30348
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Wed Sep 02, 2020 4:48 pm Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2153
Location: Melbourne, Australia

AFAIK, MQ does not use OpenSSL libraries, it implements its own SSL / TLS protocol management code. It looks like your scanner attempts to initiate a SSL session on the MQ port, and the MQ Message Channel Agent does not like it. MQ works with SSL 3+ and TLS 1+ versions, it doesn't know anything about OpenSSL versions.
_________________
Glenn
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Sep 02, 2020 5:51 pm Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7623

Glenn,
The openssl related question in this thread is from 2004

Ganford resurrected the 16 year old thread asking about scanners against MQ in general. We deal with it all the time, but not since took advantage of AMQ_NO_BAD_COMMS_DATA_FDCS. Now they can scan and we don't need to mop up any FDC files.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Sep 03, 2020 5:00 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26042
Location: Texas, USA

PeterPotkay wrote:
You want to use AMQ_NO_BAD_COMMS_DATA_FDCS.
It keeps MQ from generating FDCs when scanners hit it.

https://www.ibm.com/support/pages/apar/IT30348


I find myself enlightened!
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Sep 03, 2020 10:01 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6191

Split off from the original 2004 post...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral DiscussionPort Scanner
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.