Friday, February 19, 2021

SAN Switch - Disable snmpv3 trap

 Remote snmp server replies to the following community string: public

Attacker may gain more knowledge about this device.
Disable SNMP service if you are not planning to use it.


Solution
 I login to Brocase switch and disabled SNMP port 161 using ipfilter.

The solution is to clone the default policy and then make changes to the newly created policy and then save and activate it.
You should not or do not modify default policy - thats what they say.
You can use same step to disable telnetd service as well

1. Clone the default IPV4 policy
> ipfilter --clone Block_IPv4_Port_161 -from default_ipv4
> ipfilter --clone Block_IPv6_Port_161 -from default_ipv6  

2. List all the policies and rules
> ipfilter --show  

3. SNMP port 161 is on line 5 in my device. I am going to delete it
> ipfilter --delrule Block_IPv4_Port_161 -rule 5
> ipfilter --delrule Block_IPv6_Port_161 -rule 5
 
4. Now, add a new rule to the Block_IPv4_Port_161 policy to deny all traffic on udp port 161
> ipfilter --addrule Block_IPv4_Port_161 -rule 5 -sip any -dp 161 -proto udp -act deny
> ipfilter --addrule Block_IPv6_Port_161 -rule 5 -sip any -dp 161 -proto udp -act deny

5. Now, save the rule/policy
> ipfilter --save Block_IPv4_Port_161
> ipfilter --save Block_IPv6_Port_161  

6. Activate the new policy
> ipfilter --activate Block_IPv4_Port_161
> ipfilter --activate Block_IPv6_Port_161

7. Verify the change
> ipfilter --show

Now, you see see that the port 161 has denied access traffic from outside.

Big problem arises, nagios stop monitoring and start throwing error that system is down.

What should I have done? How to undo this mess? activate the default policy..
admin> ipfilter --activate default_ipv4

But I didn't do that. What I did was, delete the rule line using --delrule and add rule with permit inplace of deny.
save and activate.

after that, I use snmpconfig utility to configure snmpv3.

login to your Brocade switch and,
1. Run snmpconfig --show to see where trap is configured.
> snmpconfig --show
loog for Trap Entry: 192.168.10.120
Trap port: 161
Trap user:
Trap recepient Severity Level: 4
.................

2. Now set the configuration to disable
admin> snmpconfig --set snmpv3
keep press enter, do not enter anything

until it ask you for
SNMPv3 Trap/inform recipient configuration:
Trap Recipient IP Address: [ 192.168.10.120] 0.0.0.0

use 0.0.0.0 for all recipients IP.

Once done, verify again if you see the trap recipient
admin> snmpconfig --show snmpv3

You will see not ip here anymore.

You are good.


No comments:

Post a Comment

Git branch show detached HEAD

  Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03)   00 2. Run re-set hard $ git reset --hard 3. ...