Tenable/List,
Starting last month, Nessus began crashing our Citrix Metaframe farm
(approximately 60 servers). The same scan ran every month without
incident for over a year prior to November. It may be the case that the
scan did not bring down all the servers, but brought down certain
services that are critical to Metaframe functionality. Here's a quote
from the Citrix administrator:
It seems that somehow the scan causes the IMA (Independent Management
Architecture) service to stop on almost all the MF servers. There were
only 5 that did not have the IMA service stopped. Of course, when that
happens, they are dead to the ZDC (Zone Data Collector) which reports
them as Server Down. The IMA service is critical to the communication
between the MF servers and the ZDC.
Pertinent facts:
* Scan authentication: none
* Nessus version : 3.0.4
* Plugin feed version : 200612082115
* Type of plugin feed : Direct
* Port scanner(s) : nessus_tcp_scanner
* Port range : default
* Thorough tests : yes
* Experimental tests : no
* Safe checks : yes
* Max hosts : 10
* Max checks : 4
* Scan Start Date : 2006/12/9 12:32
* Scan duration : 155 sec
Nothing dangerous appears to be turned on, except possibly "thorough
tests." I use Edgeos' python-based update-nessusrc.py script to keep
the config file up-to-date. The parameters I pass to the script (which
show the plug-in families I use) are in the attached file, update.txt.
The same servers were scanned last week with ONLY local security checks
/ Microsoft bulletins turned on (checks for missing patches only).
Those scans use the same settings as above, only the port range is
1-65535, and Nessus authenticates to the servers with an account in the
Domain Admins group. That scan did not impact the servers at all.
John Scherff
Sr. IT Security Analyst
24 Hour Fitness
jscherff@24hourfit.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
