Server Lockdown During Port Scanning?

Issues related to configuring your network
Post Reply
NicB
Posts: 3
Joined: 2015/05/04 16:09:59

Server Lockdown During Port Scanning?

Post by NicB » 2015/05/04 16:28:42

I'm running SAINT8 PCI internal scans on a test environment. Something weird is happening (only when Iscan the database servers, everything else is fine, never ran into this before). The very moment the DB servers detect the nmap port scan, they go into "lockdown" for exactly 10 minutes. This is happening on various server configs. Not sure if its SELinux, but essentially you can't communicate with the server for 10 minutes. It doesn't crash, as the uptime for server and mysql are still fine.

DB1 - Centos 5 - MySQL
DB2 - Centos 6.6 - Percona Mysql
DB3 - Centos 6.6 - Percona Mysql
DB4 - Centos 6.6 - Percona Mysql
SELinux Enforcing


Any thoughts on why this 'lockdown' is occurring? :|

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Server Lockdown During Port Scanning?

Post by avij » 2015/05/04 18:30:13

Do you perhaps have fail2ban installed (and misconfigured)?

NicB
Posts: 3
Joined: 2015/05/04 16:09:59

Re: Server Lockdown During Port Scanning?

Post by NicB » 2015/05/04 22:28:59

No, fail2ban is not installed. MySQL isn't showing any interruption or errors. The firewalls also have no limits on portscans, and all other zones can scan without issues.

:|

NicB
Posts: 3
Joined: 2015/05/04 16:09:59

Re: Server Lockdown During Port Scanning?

Post by NicB » 2015/05/04 22:36:56

Here are the logs: (192.168.40.1 is the gateway IP, where the nmap traffic is coming from)

Code: Select all

[root@db2 log]# cat messages | grep "May  3 20:"
May  3 20:04:52 db2 audispd: node=db2.example.com type=CRYPTO_KEY_USER msg=audit(1430705092.107:179428): user pid=7948 uid=0 auid=500 ses=13424 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=d9:7d:bd:1b:37:76:80:96:ac:b4:f7:ac:02:f2:64:ea direction=? spid=7948 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.40.1 terminal=? res=success'
May  3 20:04:52 db2 audispd: node=db2.example.com type=CRYPTO_KEY_USER msg=audit(1430705092.108:179429): user pid=7948 uid=0 auid=500 ses=13424 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=75:8b:7c:5e:a9:ea:ad:a0:a6:3e:b5:00:36:58:93:67 direction=? spid=7948 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.40.1 terminal=? res=success'
May  3 20:04:53 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430705093.361:179430): table=filter family=2 entries=14
May  3 20:04:53 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430705093.361:179430): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=a63020 items=0 ppid=7950 pid=7965 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:04:53 db2 audispd: node=db2.example.com type=EOE msg=audit(1430705093.361:179430):
May  3 20:04:53 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430705093.364:179431): table=filter family=2 entries=15
May  3 20:04:53 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430705093.364:179431): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=14db190 items=0 ppid=7950 pid=7966 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:15:23 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430705723.972:179438): table=filter family=2 entries=16
May  3 20:15:23 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430705723.972:179438): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=a68230 items=0 ppid=7988 pid=8002 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:15:23 db2 audispd: node=db2.example.com type=EOE msg=audit(1430705723.972:179438):
May  3 20:15:23 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430705723.975:179439): table=filter family=2 entries=15
May  3 20:15:23 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430705723.975:179439): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=10450b0 items=0 ppid=7988 pid=8004 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:15:23 db2 audispd: node=db2.example.com type=EOE msg=audit(1430705723.975:179439):
May  3 20:18:32 db2 audispd: node=db2.example.com type=CRYPTO_KEY_USER msg=audit(1430705912.226:179440): user pid=8086 uid=0 auid=500 ses=13424 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=d9:7d:bd:1b:37:76:80:96:ac:b4:f7:ac:02:f2:64:ea direction=? spid=8086 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.40.1 terminal=? res=success'
May  3 20:18:32 db2 audispd: node=db2.example.com type=CRYPTO_KEY_USER msg=audit(1430705912.226:179441): user pid=8086 uid=0 auid=500 ses=13424 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=75:8b:7c:5e:a9:ea:ad:a0:a6:3e:b5:00:36:58:93:67 direction=? spid=8086 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.40.1 terminal=? res=success'
May  3 20:18:32 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430705912.242:179442): table=filter family=2 entries=14
May  3 20:18:32 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430705912.242:179442): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=1252020 items=0 ppid=8088 pid=8103 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:18:32 db2 audispd: node=db2.example.com type=EOE msg=audit(1430705912.242:179442):
May  3 20:18:32 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430705912.244:179443): table=filter family=2 entries=15
May  3 20:18:32 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430705912.244:179443): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=255b190 items=0 ppid=8088 pid=8104 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:29:02 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430706542.873:179450): table=filter family=2 entries=16
May  3 20:29:02 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(1430706542.873:179450): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=0 a2=40 a3=1ba9230 items=0 ppid=8119 pid=8134 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=29075 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
May  3 20:29:02 db2 audispd: node=db2.example.com type=EOE msg=audit(1430706542.873:179450):
May  3 20:29:02 db2 audispd: node=db2.example.com type=NETFILTER_CFG msg=audit(1430706542.876:179451): table=filter family=2 entries=15
May  3 20:29:02 db2 audispd: node=db2.example.com type=SYSCALL msg=audit(14307

Post Reply