Re: (U) Exploiting Poor SNMP Security

[Dan Kaminsky <dankamin () CISCO COM>]

> In reference to the recent thread regarding poor SNMP security, does any
one
> know of a program/application to turn-off/shutdown unwanted/un-necessary
> running services that use SNMP as it's transport agent? Thanks in advance,
>
> Dana E Morrow

Dana--

    The best method of suppressing arbitrary activity on a host is to
install a firewall configuration onto it--particularly a configuration
reciprocal to that which the network filters against.  That way, you're
given a level of redundancy--even if an implementation specific weakness
allows the network ruleset to be bypassed, the host itself will reject the
forbidden traffic--and, of course, since you never want to just trust the
host not to abuse the network, the network firewall is critical as well.

    You're most likely seeking methods of locking down Unix based SNMP
calls.  Darren Reed's ipfilter package has become my absolute favorite
method of doing this, given its extensive portability and easily
understandable filter syntax.  It is compatible with:  It supports all of
the BSDs, as well as Sun, SGI, and HP-UX.  The following rules:

    block in proto udp from any to any port = 161  # SNMP Incoming
    block out proto udp from any to any port = 161  #SNMP Outgoing

    block in proto udp from any to any port = 162  #SNMP Trap Incoming
    block out proto udp from any to any port = 162  #SNMP Trap Outgoing

    ...will suppress all SNMP traffic from ever reaching userland.  On the
flipside, a default ruleset of:

    block in from any to any
    block out from any to any
    pass in proto tcp from any to any port 80
    pass out proto tcp from any port 80 to any

    ...will actually automatically ban SNMP, FTP, even ICMP...only HTTP
traffic incoming and outgoing will get through.  This is significant when
you consider default web servers that ship with dozens and dozens of
services that *need* to be locked down--instead of killing processes, you
mute anything that isn't explictly trusted.  This is *particularly* valuable
for services that do their inter-process communication using publically
listening ports(binding to 0.0.0.0 instead of localhost, essentially), so
that they'll easily scale for clustering.  Instead of rewriting configs or
badgering authors, let the application bind to whatever it wants to--the OS
will refuse to let anything outside of localhost connect.  This works well.

    ipfilter is available at http://coombs.anu.edu.au/~avalon/ip-filter.html
; I'm just a loyal user.

    You will, of course, want to scan your systems for snmp listeners.  The
best way to do this is nmap.  The command:

nmap -sU -p 161 10.0.0.1-255

    will reasonably reliably display which hosts will accept *some* form of
community string in exchange for data on the 10.0.1.0/24 subnet.  Excellent
stuff.

    Hope this helps!

Yours Truly,

    Dan Kaminsky