Technical Blog Post

Abstract

ITM Nuggets: TEMS - How to detect where port scans are coming from on your network

Body

As normal, I like to blog about areas of ITM that I cover when working with you, either through PMRs or direct on customer site.

Today's series topics is all related to port scanners being run against TEMS.

If you are seeing communications issues such as suspended connections with your TEMS, then this procedure will help you identify where the non ITM connections are being sourced (sent) from.

These connections are 99 times out of a 100 a port scanner that is being run against the TEMS IP and port. This process will give you the IP address, so you can then check that server for scanners being run and create exceptions from that server scanning your TEMS going forward.

Now I need to point out to start with that their are known limitation when using port scanners and ITM. Details of this can be found here:

http://www-01.ibm.com/support/docview.wss?uid=swg21686917

What you need to do:

Set the required debug parameters:

You need to set 3 parameters on in the TEMS ms.config file

KDC_DEBUG=Y
KDE_DEBUG=Y
KDEB_TRACE_ACCEPT=YES

You also need this diagnostic code patch to reveal the required information. An IBM support representative will provide this diagnostic through the PMR system

The TEMS also needs the diagnostic IV85368

More details on diagnostic IV85368 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IV85368

Increase the log file size:

With this trace parameter set it will generate a lot of TEMS tracing so my recommendation would be to increase the size and the number of logs the TEMS will write to before they wrap around and write over themselves.

The last thing you want is to set this up, a scan runs and you don't capture the information in the logs to help identify where it came from.

Direct link to YouTube: http://ow.ly/tNLB305JImr

How to increase the number of log files on a Linux / Unix based system

Direct link to YouTube: http://ow.ly/G7i72

How to increase the number of log files on a windows based system

Collecting the logs

As soon as the problem has occurred run a PDcollect on the the TEMS in question to capture the logs, Its important you do this as soon as possible after you see an issue with communications on the TEMS. Even though we have increased the size and number of logs on the TEMS, the tracing being used will push a lot of data into the trace, so you don't want to miss the window containing the information you need.

How to run a PDCollect on a Linux / Unix based system

How to run a PDCollect on a windows based system

How to review the logs:

Search through all the RTEMS RAS1 logs for occurrences of "resuming". You will see all the messages that resume the connections via pipe/spipe.

Immediately above the resume message, you will see a message with "Accept from" followed by an ip address. That ip address is the ip address that sends the packet that resumes the connection.

These are the important messages. All that should be done next is to take down the ip addresses from the messages above and find out to what machine or agent that IP address belongs to. You can then investigate with the servers owning team if any scanners are being run and if they are raise scan exceptions to the TEMS machines

Let's connect!

To follow my social updates on IBM software, please feel free to connect with me by clicking on the images below:

Find all my other blogs here:

LINK ------------> Full Index of My Blogs <------------ LINK

Subscribe and follow us for all the latest information directly on your social feeds:

Check out all our other posts and updates:
Academy Blogs:	https://goo.gl/U7cYYY
Academy Videos:	https://goo.gl/FE7F59
Academy Google+:	https://goo.gl/Kj2mvZ
Academy Twitter :	https://goo.gl/GsVecH

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11082787

Tips