| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Block Nessus with CHLAUTH still gives FDC |
« View previous topic :: View next topic » |
| Author |
Message
|
| SvenX |
 Posted: Thu Jan 24, 2013 4:53 am Post subject: Block Nessus with CHLAUTH still gives FDC |
 |
|
Newbie
Joined: 24 Jan 2013
Posts: 2
|
Hi All,
Every week we get a Nessus-scan on our environment.
To avoid unnecessary call-outs, I want to block the nessus-host so we don't get an FDC complaining about "invalid data from the nessus-host".
I have no control over the Nessus scan nor the firewall. So I've setup CHLAUTH
My current setup:
| Code: |
display qmgr chlauth
1 : display qmgr chlauth
AMQ8408: Display Queue Manager details.
QMNAME(QM2) CHLAUTH(ENABLED)
display chlauth(*)
2 : display chlauth(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.EXPL.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(192.168.1.181) MCAUSER(mqm)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKADDR)
ADDRLIST(192.168.1.12 ,192.168.1.13)
|
The problem is that we still get an FDC. The logs say that it's blocking the machine and immediately after that, it complains about a tcp/ip error.
The new FDC info:
| Code: |
| Major Errorcode :- rrcE_BAD_PARAMETER |
| Minor Errorcode :- OK |
| Probe Type :- INCORROUT |
| Probe Severity :- 2 |
| Probe Description :- AMQ6125: An internal WebSphere MQ error has occurred. |
| FDCSequenceNumber :- 30 |
| Comment1 :- Invalid Handle |
| Comment2 :- |
| Comment3 :- |
|
Any ideas? The server is an AIX 6100-07, MQ 7.1.0.1
Thank you
Sven |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Jan 24, 2013 5:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Side-channel solutions:
- every week that you get a page out, send a note to the full management chain of the team that manages the nessus monitor explaining that you have been paged unnecessarily, and explain the cost incurred for that pageout - amount of money per hour you are worth, etc. etc. etc.
- investigate configuring a firewall on the AIX box itself that blocks port-scanners and/or the specific known hosts that the nessus software runs from
- investigate altering the qm configuration to cause it to ignore the relevant error messages.
- alter the configuration of your pageout system so it can recognize this particular set of circumstances and not page you for fdcs thrown by someone telnetting to your listener port
- turn off your pager
- stop moniitoring the queue manager for FDCs
- alter the configuration of your pageout system so it recognizes this particular set of circumstances and pages the nessus team, rather than you.
- alter your pageout procedures so that every time you get paged for this, you immediately page the nessus team
And probably a few others - stop the listener, stop the qmgr, etc. etc. etc.
I don't think channel authorizations occur soon enough in the listener processing to allow you to prevent this particular message from being logged *somewhere* and *somehow*.
And I suspect that T-Rob would say that it shouldn't be allowed to stop the queue manager from logging all such connection attempts *somewhere*.... |
|
| Back to top |
|
|
| SvenX |
| Posted: Thu Jan 24, 2013 5:21 am Post subject: |
|
|
Newbie
Joined: 24 Jan 2013
Posts: 2
|
Thanks for the reply 
If possible I'd like to block it on the MQ level since that's under my control. Setup a firewall on the AIX is plan B but I'm not ready to go for that yet.
The monitoring I also control so that's another path.
For clarification, I don't mind a log-entry, I just don't want the FDC.
Kind regards
Sven |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
