At MQ version 7.0.1 you are outta luck with a built in solution.

But at MQ 7.1 and newer you can set up a CHLAUTH rule to block connections from the IP address of that internal machine.

See this post:
https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/blocking_ip_addresses_with_chlauth_which_type_to_use?lang=en



Peter Potkay


From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Frost, Mark {BIS}
Sent: Monday, June 17, 2013 11:19 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Way to block port scanners?

Hello. We've an internal machine somewhere that is likely doing some kind of scanning for vulnerabilities. I can't get any details about this particular machine, but it's regularly creating FDC files in our MQ instances due to the funky way it's hitting the port for the queue manager.

I suspect the answer is "no", but I don't suppose MQ provides some mechanism for me to block this particular connection? I'm getting rather tired of cleaning up those FDC files. (We get alerts whenever an FDC file is generated).

I'm running MQ 7.0.1.6 on HPUX.

Thanks

Mark


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Hi,

What are the FDC files generated ? If they are the ‘bad data received’ – then the data might tell you something. It might not be a network pinger but a badly configured application that is using the wrong port.

Most network pingers that I am aware of just connect and then immediately disconnect without sending any data. Recent versions of MQ have not reported this as an error I believe, although you can switch on error reporting if you wish. However, my memory was that we only issued an error message not raised an FDC. I can’t remember what versions of MQ we made the changes though and I no longer have access to the code to check I’m afraid. However, taking a closer look at the FDC might be a good idea.

Cheers,
P.

Paul Clarke
www.mqgem.com

From: Frost, Mark {BIS}
Sent: Monday, June 17, 2013 4:19 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Way to block port scanners?

Hello. We’ve an internal machine somewhere that is likely doing some kind of scanning for vulnerabilities. I can’t get any details about this particular machine, but it’s regularly creating FDC files in our MQ instances due to the funky way it’s hitting the port for the queue manager.

I suspect the answer is “no”, but I don’t suppose MQ provides some mechanism for me to block this particular connection? I’m getting rather tired of cleaning up those FDC files. (We get alerts whenever an FDC file is generated).

I’m running MQ 7.0.1.6 on HPUX.

Thanks

Mark



--------------------------------------------------------------------------------

List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Mark,

MQ doesn't do that but you can configure a software firewall on your
HPUX system to block all ports but the few you use. You can also log
the IP address of whoever's doing the scanning.

Bob Juch
Juch Services LLC


On Mon, Jun 17, 2013 at 11:19 AM, Frost, Mark {BIS}
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Hi Mark,

I have RFE 32683 with IBM for that one already. Please vote for it.
also let me know if you would require additional selection / filter capability beyond what I have asked for, I will update the RFE as needed.

Dave

----- Original Message -----
From: ***@LISTSERV.MEDUNIWIEN.AC.AT
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
At: Jun 17 2013 11:29:21


Hello. We’ve an internal machine somewhere that is likely doing some kind of scanning for vulnerabilities. I can’t get any details about this particular machine, but it’s regularly creating FDC files in our MQ instances due to the funky way it’s hitting the port for the queue manager.

I suspect the answer is “no”, but I don’t suppose MQ provides some mechanism for me to block this particular connection? I’m getting rather tired of cleaning up those FDC files. (We get alerts whenever an FDC file is generated).

I’m running MQ 7.0.1.6 on HPUX.

Thanks

Mark

List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


<< Seriously? I don't understand why you don't understand what I don't understand!! >>

Hi Mark,

Out of the box you are out of luck with 7.0.1.6

But have used logip / block ip channel exits in the past to find out where
these scanners came from.

See http://www.mrmq.dk/index.htm?BlockIP2.htm for more details



Michael



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
Frost, Mark {BIS}
Sent: maandag 17 juni 2013 17:19
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Way to block port scanners?



Hello. We've an internal machine somewhere that is likely doing some kind
of scanning for vulnerabilities. I can't get any details about this
particular machine, but it's regularly creating FDC files in our MQ
instances due to the funky way it's hitting the port for the queue manager.



I suspect the answer is "no", but I don't suppose MQ provides some mechanism
for me to block this particular connection? I'm getting rather tired of
cleaning up those FDC files. (We get alerts whenever an FDC file is
generated).



I'm running MQ 7.0.1.6 on HPUX.



Thanks



Mark





_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>


To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html