1

I have installed SNMP on my server machine. I just followed an online tutorial for doing this. I had no idea what it is. Few days back from where we bought our server they sent an email as

Abuse Message [AbuseID:2B760B:25]: AbuseBSI: [CERT-Bund#2015020428001579] Offene SNMP-Dienste in AS24940 - 2016-09-17

Shadowserver provides CERT-Bund with the test results for IP addresses hosted in Germany for notifying the owners of the affected systems. Futher information on the tests run by Shadowserver is available at [2].

Please find below a list of affected systems hosted on your network. The timestamp (timezone UTC) indicates when the system was tested and responded to SNMP requests from the Internet.

We would like to ask you to check this issue and take appropriate steps to secure the SNMP services on the affected systems or notify your customers accordingly.

My question is what are those steps to secure SNMP? On a blog there was a person who referred for changing the default community string. So I googled about this and edited this file nano /etc/snmp/snmpd.conf and added community string as public hostIP(on which snmp installed).

But am not sure about what I did so far. If anyone have some same experience please guide me with that. Any help will be appreciated.

Junaid Farooq
  • 123
  • 8
  • 1
    SNMP should not be open from Internet, or your machine can be used to DDOS by amplification (one packet sent to your machine can produce a very high volume of data). If you need to connect from the net, use a SSH tunnel and connect then to SNMP from the tunnel. – Dom Sep 28 '16 at 06:19
  • @Dom Thanks. I totally understand what you are saying but what about that Abuse? what are solutions for this? – Junaid Farooq Sep 28 '16 at 06:42
  • Dom gave you a good solution. SNMP should not be exposed to the general internet. If there are external devices that need to be able to access SNMP over the internet and you do not have any secure channel available, at least modify the firewall so that only traffic from a set of trusted IP's can use SNMP services. SNMPv1, and v2 also offer no encryption so data security is an issue. – Mark Riddell Sep 28 '16 at 07:06
  • You need to firewall your computer from Internet. It is mandatory. Then open only the needed ports (and in this case not SNMP, just SSH). Your CERT will not detect your SNMP as it is filtered from the net. – Dom Sep 28 '16 at 08:44

1 Answers1

3

This unexpected warning might appear to be an unsolicited email but is legitimate and originates from Germany's "Bundesamt für Sicherheit in der Informationstechnik", the Federal Office of Information Security's CERT-Bund.

The Computer Emergency Response Team for federal agencies has a program of actively alerting German organisations and businesses for potential online threats. If your systems are hosted by a german provider (such as Hetzner) you too might receive such warnings.

In this case, a portscan detected that the SNMP service was active on one of your systems. As with a number of protocols SNMP can easily be be abused for reflection and amplification denial of service attacks. It is also an protocol/service that you don't need to expose to the internet at large.

You have a number of different options:

  • You don't actually use SNMP and can simply disable the service (systemctl stop snmpd & systemctl diasable snmpd) or uninstall it.

  • You use snmp for monitoring but the monitoring service runs on the same host? Edit /etc/snmp/snmpd.conf and configure snmpd to only accept requests sent to the local loopback interface rather than your public IP by setting agentAddress udp:127.0.0.1:161

  • You use snmp for monitoring but the monitoring service runs on a different host? Set up a firewall that allows that particular host to connect to port UDP 161 and disallow all others.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Yes I am using SNMP for monitoring and service runs on the same host. So I added the above values. Is that fine now? – Junaid Farooq Sep 28 '16 at 10:59
  • After restarting the service you should be fine. The service won't be accessible from the internet anymore. You should confirm by running a remote portscan. – HBruijn Sep 28 '16 at 11:16
  • 1
    Okay after adding agentAddress SNMP didnt start and started giving error so I did this http://serverfault.com/questions/620420/snmpd-bind-error-in-ubuntu-14-04-server and now my snmpd.conf is like `agentAddress udp:127.0.0.1:161` and `rocommunity public 138.201.188.199` – Junaid Farooq Sep 28 '16 at 11:24
  • Even I have stopped the service.. And added address as well but the same email has come again – Junaid Farooq Sep 29 '16 at 08:51