Knock, knock who is there?

General Add comments
by:


In ServiceNow out of the box it is possible to restrict access to the instance based on IP address. When access is revoked the following page is visible below.

Under “System Security” a module is available called “IP Address Access Control” to control the IP addresses which can access the instance or the IP addresses which should be denied to access.

Based on the type either Allowed or Denied these entries are distinguished.

For more information a reference is available on the docs of ServiceNow: https://docs.servicenow.com/bundle/helsinki-servicenow-platform/page/administer/login/task/t_AccessControl.html

Denied IP addresses

Out of the box in ServiceNow it is possible to find the denied IP addresses.

  1. Navigate to System Logs > Utilities > Node Log File Browser.
  2. Browse the logs by criteria, such as time period and message.
  3. You can also download log files when you know which log you are looking for, by navigating to System Logs > Utilities > Node Log File Download..

However, this is not a really easy way to find the IP addresses which are denied. Instead is it not more user friendly to see who tried to knock on the door? In this article, it will be described how this can be accomplished, so systems or IP addresses that are accidently revoked access to ServiceNow can be identified.

To make it easier and traceable a table needs to be created. Below are the details with the specification of this table.

Table label Table name Field label Field name Field type
Failed IP Address Access u_failed_ip_address IP address u_ip_address String (80)

Now the table needs to be populated with the IP addresses which were rejected, this will be done using the following scheduled job:
Name: Log failed IP access request
Active: True
Run: Periodically
Repeat interval: 30 min
Script:

logFailedIPAccessAttempts();

function logFailedIPAccessAttempts() {
var logFile = new GlideLogFileReader();
var dtstart = new GlideDateTime();

dtstart.addSeconds(-60*60);
logFile.setStartTime(dtstart.getDisplayValue());
logFile.setEndTime(new GlideDateTime().getDisplayValue());
logFile.setLevel(1);
logFile.setMessage('Security restricted: Access restricted');
logFile.setThread('http');

if(logFile.open()) {
while(logFile.next()) {
var message = logFile.getValueHtmlEscaped('message') + "";
var ipaddress = '';
if(message.indexOf('Security restricted: Access restricted') > -1) {
ipaddress = ''+message.match(/(\d)*[.](\d)*[.](\d)*[.](\d)+/g);
if(!ipaddress.nil()) {
var grfailedip = new GlideRecord('u_failed_ip_access');
if(!grfailedip.get('u_ip_address', ipaddress)) {
grfailedip = new GlideRecord('u_failed_ip_access');
grfailedip.initialize();
grfailedip.u_ip_address = ipaddress;
grfailedip.insert();
}
}
}
}
}
}

For each failed IP address, a new entry will be created. Create a new module, called Failed IP Address Access, so the table can be accessed under System Security.

The module opens a new table with a list of IP addresses which failed to access ServiceNow, based on the Created timestamp it is traceable when the failed attempt was initiated.

Done, not there is a better way of getting insight to the IP addresses which were failed to access your ServiceNow instance.

.img[at].img

Leave a Reply