AirWave and Network Management

Reply
Occasional Contributor I
Posts: 5
Registered: ‎12-12-2007

Airwave-srever accused of hacking device.

My system maintenance colleges accuse the airwave server of hacking into there systems with repeatedly inlog attemts. (telnet,smtp,http etc.)

In the eventlog I can see these actions on single ip adresses:
Tue Oct 25 17:04:22 2011 System System NMAP Scan of "145.8.252.175" (145.8.252.175/255.255.255.255) using credentials "": completed: 1 probes in 144 seconds
Tue Oct 25 17:01:58 2011 System System NMAP Scan of "145.8.252.175" (145.8.252.175/255.255.255.255) using credentials "": started

Question:
- Why is AMP doing this on these single ip adresses (there are a lot more servers on the network) ?
- How/where can you manage this behaviour?
Moderator
Posts: 121
Registered: ‎04-17-2009

Re: Airwave-srever accused of hacking device.

AirWave will perform an operating system scan on rogue devices in an attempt to gather more information about them. These scans can be manually run or configured to be run automatically. The rogue must have an IP address for AirWave to perform the scan.

The Automatic behavior is configured on the RAPIDS-->Setup page. In the Basic configuraiton section the setting is 'Automatically OS scan rogue devices'. If you do not want AirWave to perform NMAP scans, make sure no is selected.

The scans can also be run manually from the modify devices link on the rogue list and from the identify OS button on the rogue detail page.
Occasional Contributor I
Posts: 5
Registered: ‎12-12-2007

Airwave-srever accused of hacking device.

Automatically OS scan rogue devices is disabled on my AMP version 7.1.3
There are also no roque rules configured with OS scan enabled.
Even these systems are classified as Valid. (manual override)
But the login attemts are still there.
Any suggestions??
Moderator
Posts: 121
Registered: ‎04-17-2009

Airwave-srever accused of hacking device.

If the Automatically OS scan rogue devices flag is disabled than the OS scans will not happen automatically.
It should require user interaction to initiate. If you look at the RAPIDS audit log on the bottom of the RAPIDS-->Overview page, do you see any 'Identify Operating System' lines?
If you do they will let you know who initiated the scan and when.
If you do not, please open a support case for further troubleshooting and debugging.
Search Airheads
Showing results for 
Search instead for 
Did you mean: