block SNMP attempts and filling up Logbuffer

Created: Jan 21, 2020 11:34:45Latest reply: Jan 22, 2020 07:01:00 110 7 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Good day 


i have snmp on my router with an ACL that allows only certain network to poll the routers, however because it has public interfaces assosiated on the router i get snmp attempts filling up my logbuffer.


is there a way to get the bad attemts not into the logfile ?


or is my ACL written badly perhaps ?


here is a view of config: 


acl number 2000

 rule 5 permit source 41.79.212.0 0.0.3.255

 rule 10 permit source 81.26.72.0 0.0.7.255

 rule 15 permit source 10.0.0.0 0.255.255.255

 rule 20 permit vpn-instance FNET-ISP source 81.26.72.0 0.0.7.255

 rule 25 permit vpn-instance FNET-JHB source 41.79.212.0 0.0.3.255

 rule 35 permit vpn-instance FNET-JHB source 10.0.0.0 0.255.255.255

 rule 100 deny


snmp-agent

snmp-agent acl 2000

snmp-agent local-engineid 800007DB0308C0216E1CFD

snmp-agent community read cipher............acl 2000

snmp-agent sys-info contact ....


Logbuffer:


Jan 21 2020 13:27:23+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[0]:Failed to login through SNMP. (Ip=164.52.36.210, Times=2, Reason=the ACL filter function, VPN=FNET-JHB)

Jan 21 2020 13:26:06+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[1]:Failed to login through SNMP. (Ip=92.118.160.17, Times=4, Reason=the ACL filter function, VPN=FNET-JHB)

Jan 21 2020 13:23:24+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[2]:Failed to login through SNMP. (Ip=196.52.43.55, Times=5, Reason=the ACL filter function, VPN=FNET-JHB)

Jan 21 2020 13:22:03+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[3]:Failed to login through SNMP. (Ip=122.228.19.80, Times=1, Reason=the ACL filter function, VPN=FNET-JHB)

Jan 21 2020 13:15:37+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[4]:Failed to login through SNMP. (Ip=204.42.253.130, Times=3, Reason=the ACL filter function, VPN=FNET-JHB)

Jan 21 2020 13:15:17+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[5]:Failed to login through SNMP. (Ip=204.42.253.130, Times=2, Reason=the ACL filter function, VPN=FNET-JHB)

Jan 21 2020 13:15:17+02:00 FNET-ISND-PE01 %SNMP/4/SNMP_FAIL(s)[6]:Failed to login through SNMP. (Ip=204.42.253.130, Times=1, Reason=the ACL filter function, VPN=FNET-JHB)




thank yoiu very much

  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Jan 21, 2020 12:34:32 Helpful(0) Helpful(0)

Hello friend,

If you can determine that the login attempt is initiated from specific source IP addresses, You can configure ACL policy on interfaces to filter out these IP addresses,  

If you are not sure and do not want to receive such logs, you can run the following command to disable the logbuffer to recording such logs.

info-center filter-id bymodule-alias SNMP  SNMP_FAIL

Any further questions, let us know!

  • x
  • convention:

kznfriks
kznfriks Created Jan 21, 2020 12:38:59
thank you so much that sounds like a good plan  
All Answers
umaryaqub
umaryaqub MVE Created Jan 21, 2020 12:04:56 Helpful(0) Helpful(0)

Hi,

One way can be to view the required details with different format of logbuffer:

1. display logbuffer [ size value | module module-name | level severity | security ] *
2. display logbuffer summary [ level severity ]
3. display logbuffer log-offset offset-value size value
  • x
  • convention:

kznfriks
kznfriks Created Jan 21, 2020 12:36:44
thank you , it is just a way of refining the logbuffer search , but will not stop it from reporting on the snmp attacks. however thank you so much for your answer  
A%20network%20professional%20eager%20to%20learn%20and%20help.I%20have%208%20years%20of%20network%20experience%20and%20I%20am%20working%20with%20Huawei%20VAP%20and%20looking%20after%20IP%20Projects%20design.
E.DR_91
E.DR_91 MVE Created Jan 21, 2020 12:05:53 Helpful(0) Helpful(0)

The log message saying "Failed to log in through SNMP" indicates that SNMP packets are failed to be parsed. Causes and workaround for such a log message are as follows:

Cause Workaround
The SNMP version on the NMS sent login requests is not v1, v2c, or v3. Run the display snmp-agent sys-info version command to check whether the SNMP version on the device is v1, v2c, or v3.
If so, go to Step 2.
If not, go to Step 3.
Run the snmp-agent sys-info version command to configure the SNMP version supported by the device. Then, check whether the problem can be solved.
If so, go to Step 4.
If not, go to Step 3.
Please contact Huawei technical support personnell.
End.

Packet bytes received by the device exceeds the threshold. Run the snmp-agent packet max-size byte-count command in the system view to modify the maximum packet bytes allowed on the device, and then check whether the system still generates logs.
If so, go to Step 2.
If not, go to Step 3.
Please contact Huawei technical support personnel.
End.

The community string is configured incorrectly. Run the display snmp-agent community command to view the community string configured for the device is identical with that configured for the device and NMS.
If so, go to Step 5.
If not, go to Step 2.
Run the snmp-agent community read command to configure a read community string and the snmp-agent community write command to configure a write community string.
Check whether the NMS can successfully log in to the device with the correct community string.
If so, go to Step 5.
If not, go to Step 4.
Please contact Huawei technical support personnel.
End.

Requests sent from the IP address is denied by the ACL. Run the display acl command to view the ACL configuration. The command output indicates whether the IP address from which requests are sent is denied by the ACL.
If so, go to Step 2.
If not, go to Step 4.
Run the rule permit source source-ip-address source-wildcard command in the ACL view to configure the ACL to allow the IP address.
Check whether the NMS can log in to the device.
If so, go to Step 5.
If not, go to Step 4.
  • x
  • convention:

I%20am%20an%20information%20Technology%20Engineer%3B%20I%20work%20as%20Head%20of%20section%20in%20Management%20Information%20System%20with%20over%20five%20years%20of%20experience%20specializing%20in%20Software%20Testing.%20I%20am%20looking%20forward%20to%20growing%20my%20management%20skills%20to%20develop%20and%20inspire%20my%20team%20and%20I%20am%20a%20MVE%20in%20this%20forum
kznfriks
kznfriks Created Jan 21, 2020 12:14:49 Helpful(0) Helpful(0)

100% but it seems you have misread my request. these are in fact failed attempts and it should be failed attempt as me as an ISP dont want a person in kazakhstan or any other country to have access or monitor my routers.

the question is how do i stop this attack/attempts to fill up my logbuffer in order to get real messages of change on my router ?
  • x
  • convention:

Popeye_Wang
Popeye_Wang Admin Created Jan 21, 2020 12:34:32 Helpful(0) Helpful(0)

Hello friend,

If you can determine that the login attempt is initiated from specific source IP addresses, You can configure ACL policy on interfaces to filter out these IP addresses,  

If you are not sure and do not want to receive such logs, you can run the following command to disable the logbuffer to recording such logs.

info-center filter-id bymodule-alias SNMP  SNMP_FAIL

Any further questions, let us know!

  • x
  • convention:

kznfriks
kznfriks Created Jan 21, 2020 12:38:59
thank you so much that sounds like a good plan  
PiotrekRGC
PiotrekRGC Created Jan 22, 2020 07:01:00 Helpful(0) Helpful(0)

Hi, despite the result in logs, if the problem is sourced in unauthorised snmp attempts you can limit L3 interfaces that semdet can reach by:
snmp-agent protocol source-interface INT

Additionaly, you can set general ACL (not related to the speciific community string only) by:
snmp-agent acl NR
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login