Return to Wired Network Access page.
Why do I get entries in my server log that show hawthorne.byu.edu (10.11.16.12) trying to scan or access my server on many different ports or it is trying to login to the server?
Hawthorne.byu.edu is a system that is used by the OIT Security Team to check the security health of systems on the BYU network. There are two main tools that are used on hawthorne to check servers. One tool that we use is NMAP. NMAP is a port scanning tool that we use on an ad-hoc basis to determine what servers exist on a network and what services are running on those servers. We use this to map BYU's networks to see which subnets have active systems on them and whether they are running Web servers, FTP servers, etc.
The other tool that we use is Nessus. Nessus is a rule based scanning utility that looks for vulnerabilities on networked systems. New rules are added to Nessus when new vulnerabilities are discovered. Nessus has two modes, safe and aggressive, for scanning systems. Safe mode checks for possible vulnerabilities and reports them. This is the mode we use when scanning systems. Aggressive mode looks for vulnerabilities and then tries to exploit them. This can possibly bring the scanned system down. Safe mode will have more false positives (reported vulnerabilities that are not exploitable), but will not bring the scanned systems down.If your system is in an OIT managed zone or is hosted by OIT in the Data Center, we scan the systems every week, early Saturday night or Sunday morning. The results are parsed into a data base and system owners are contacted about high level vulnerabilities.
We scan all of the Campus systems a few at a time until the entire campus has been scanned. This usually takes one to two months. The results are parsed into a data base as they are scanned and e-mails are sent to the responsible parties for the systems with high level vulnerabilities.If you have any questions or concerns about the scans that are taking place, please contact OIT Security.
What are the e-mails I receive detailing vulnerabilities and what should I do with them?
As a result of periodic Nessus scans, a database is created that shows what vulnerabilities were detected on what systems on campus. From the database an e-mail is created for all high vulnerabilities. A separate e-mail is sent for each vulnerability on every system that has that vulnerability within that subnet. The e-mail contains the IP addresses for the effected systems, the Nessus ID number, an explanation of the vulnerability and the Nessus proposed solution for the vulnerability.
This information is sent to help the technical support people all over campus keep their systems up to the latest patch levels. Sometimes the solution provided by Nessus may not make sense for the particular instance that the e-mail was sent for. A good example of this is when Windows SMB shares are detected on a system. Nessus ties the solution to the Nessus ID which is the same for true Windows shares or SAMBA shares. Therefore it is confusing when the solution is Windows based for SAMBA shares. Also there are many legitimate Window/SAMBA shares out there and the Nessus recommendation is to remove them. In this case the technical support person should look over the information presented and decide if any action needs to be taken. For instance, if you have legitimate shares, you need to check and make sure that there are not shares present that you did not create. We would like to receive feed-back on the e-mails, either specifying what will be done to fix the vulnerability or that nothing needs to be done because it is a legitimate service.
Remember, we are providing these scans as a service to help keep BYU computer resources safe for students, faculty and staff to use.
What is the IPS and how is it used to protect BYU?
IPS stands for Intrusion Prevention System. All traffic to and from the Internet and to and from Resnet are passed through an IPS. The IPS is a rule based system that looks for patterns or anomalies in the traffic that point to attacks or compromises. Several options are available when a rule is triggered.
The most common is for an alert to be created. Also we can be notified of the alert, if we deem it necessary. The alert can be viewed through the IPS console and if it is determined not to be a false positive, the offending address can be blocked. The block can be permanent or temporary. We usually use a 15 minute temporary block. If the host is still attacking after 15 minutes, the host can be blocked again. We spend time every day checking for attacks that can be blocked.
Some rules never have false positives and do not have to be blocked by one of us each time. These rules are set to automatically block the host for 15 minutes. If they are still actively attacking after 15 minutes, they will be blocked again, and so on. This means that once a system that has been attacking is fixed or stopped, they will no longer be blocked.
What is an IDS?
IDS stands for Intrusion Detection System. The IDS is similar to the IPS, but does not have the ability to block attackers or hackers. We use an open source IDS called SNORT.
We use the IDS for our automatic virus and compromise ticket generating system. SNORT is used to look at traffic from BYU to the Internet. When a BYU or Resnet system is infected with a virus or trojan, a ticket is created. Then the ticket is viewed and if it is determined not to be a false positive, an email is sent to the responsible party.
What do I do with the e-mail I receive as a result of SNORT?
The e-mails generated by this system are more generic in nature than the ones generated for Nessus. This is because the rules used in SNORT are more generic in nature and look for the symptoms of a virus rather than a specific virus. Many virii use the same attack methods and show the same symptoms on the network. When your receive one of these e-mails, you should take the following steps to determine if and what virus you have on your system and remove them:
What Firewall Ports does BYU block? Is there a list?
BYU blocks specific ports to help protect the University and it's users from online threats. Occasionally, users may need a specific port to be available for specific applications they are using. It is possible to request specific exceptions to blocked ports for legitimate University purposes.
If you would like to know what Ports / Exceptions currently exist, or need to request an exception, Contact the OIT Service Desk. Please provide them with your contact information and any specifics or your request so they can engage an appropriate OIT engineer to work with you.
The feedback box, located below, is intended for general comments on this page or service information and NOT for help with specific technical issues you are having with the service itself. If you would like a response to your feedback, be sure to include your contact information or log into it.byu.edu using the login button at the top of this page.