From: Stephanie Chung (stepchung@yahoo.com)
Date: Wed Apr 20 2005 - 13:48:04 EDT
Thanks to:
Bill Hassell
mike.keighley@adarelexicon.com
Wolf-Dietrich Schmook
Lodahl, Martin A
ORIGINAL QUESTION
=============================================================
> I was notified from the Network engineer that my
> server is running SNMP and trying to probe his
> router,
> sees the following log:
>
> Dynamic Log Buffer (100 lines):
> Apr 19 07:31:52:I:SNMP Auth. failure, intruder IP:
> 201.155.35.99
> Apr 19 07:31:51:I:SNMP Auth. failure, intruder IP:
> 201.155.35.99
> …
> 201.155.35.99 is my server’s IP (not real IP). I
> checked my server and see /usr/sbin/snmpdm daemon is
> running. The network engineer is asking me to
> exclude
> his router (201.155.35.2 – not real) from my
> server’s
> SNMP probes. Have no idea how to do this. Any helps
> on
> this is appreciated. Thanks.
SOLUTION.
=====================================================
>From Master Bill:
--- Bill Hassell <bill@billhassell.com> wrote:
>
> Unless you are using SNMP, turn it off!!!
> By using SNMP, I mean that you have installed
> a product such as OpenView Node Manager (costs
> $15,000 or something similar), or Nagios (free
> but takes days to configure) or some other
> network management system where you are
> probing the network to collect information
> about all the machines.
>
> To turn off all SNMP services (they are all on
> by default--not a good idea), run the start/stop
> script for *every* file in /sbin/init.d that
> starts with SNMP:
>
> /sbin/init.d/SnmpFddi4 stop
> /sbin/init.d/SnmpMaster stop
> /sbin/init.d/SnmpTrpDst stop
> /sbin/init.d/SnmpHpunix stop
> /sbin/init.d/SnmpMib2 stop
>
> edit *all* the files in /etc/rc.config.d/
> that start with Snmp and set =1 to =0
>
> SnmpHpunix SnmpMaster SnmpMib2 SnmpTrpDst
>
> SNMP is quite invasive and should not be enabled
> unless specific SNMP probes are to be allowed.
> Similarly, your machine should not be probing
> other machines without explicit authority from
> the network gurus. SNMP has nothing to do with
> applications buit after you disable everything,
> if an app has a problem, you need a long talk
> with the manufacturer about SNMP vulnerabilities
> (along with the network folks).
>
> Bill
>From Lodahl, Martin A
Dead Gateway Detection DocId: KBAN00000750 Updated:
20010723
DOCUMENT
ip_ire_gw_probe
Turns the Dead Gateway Detection on and off.
IP periodically tests if the gateways are available.
It not only probes
the
active one, but also the "dead" gateways in case the
came back to live
in the
meantime. The default for this value is "1", so we
probe the gateways.
You could see which value is set by executing:
ndd -get /dev/ip ip_ire_gw_probe
This results in "1" probing or "0" not probing.
To see all gateways you could use ip_ire_status
ndd -get /dev/ip ip_ire_status | grep -e IRE_GATEWAY
-e flag
This results in a list of all gateways, the flags will
indicate a dead
gateway.
Another option ip_ire_gw_probe_interval is available
which changes the
frequency in which such probes will be performed.
Why would this be used?
The gateway probes are ICMP packets which await a
proper reply.
In cases where e.g. a firewall is used it could be
wanted to turn off
ICMP, so
nobody could ping the firewall but still it works for
the desired
protocols.
So turning it off would not compromise the work,
because we would never
send an
ICMP packet to test the machine. On the other hand we
would only know
if a
gateway is not operational if we try to use it. This
results in long
timeouts
during the detection.
Usable commands:
Check the current value:
ndd -get /dev/ip ip_ire_gw_probe
Disable Dead Gateway Detection:
ndd -set /dev/ip ip_ire_gw_probe 0
Enable Dead Gateway Detection:
ndd -set /dev/ip ip_ire_gw_probe 1
nddconf entry example:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_ire_gw_probe
NDD_VALUE[0]=0
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:47 EDT