Vulnerability Development mailing list archives
Re: (U) Exploiting Poor SNMP Security
From: Dan Kaminsky <dankamin () CISCO COM>
Date: Fri, 15 Dec 2000 04:14:56 -0800
In reference to the recent thread regarding poor SNMP security, does any
one
know of a program/application to turn-off/shutdown unwanted/un-necessary running services that use SNMP as it's transport agent? Thanks in advance, Dana E Morrow
Dana-- The best method of suppressing arbitrary activity on a host is to install a firewall configuration onto it--particularly a configuration reciprocal to that which the network filters against. That way, you're given a level of redundancy--even if an implementation specific weakness allows the network ruleset to be bypassed, the host itself will reject the forbidden traffic--and, of course, since you never want to just trust the host not to abuse the network, the network firewall is critical as well. You're most likely seeking methods of locking down Unix based SNMP calls. Darren Reed's ipfilter package has become my absolute favorite method of doing this, given its extensive portability and easily understandable filter syntax. It is compatible with: It supports all of the BSDs, as well as Sun, SGI, and HP-UX. The following rules: block in proto udp from any to any port = 161 # SNMP Incoming block out proto udp from any to any port = 161 #SNMP Outgoing block in proto udp from any to any port = 162 #SNMP Trap Incoming block out proto udp from any to any port = 162 #SNMP Trap Outgoing ...will suppress all SNMP traffic from ever reaching userland. On the flipside, a default ruleset of: block in from any to any block out from any to any pass in proto tcp from any to any port 80 pass out proto tcp from any port 80 to any ...will actually automatically ban SNMP, FTP, even ICMP...only HTTP traffic incoming and outgoing will get through. This is significant when you consider default web servers that ship with dozens and dozens of services that *need* to be locked down--instead of killing processes, you mute anything that isn't explictly trusted. This is *particularly* valuable for services that do their inter-process communication using publically listening ports(binding to 0.0.0.0 instead of localhost, essentially), so that they'll easily scale for clustering. Instead of rewriting configs or badgering authors, let the application bind to whatever it wants to--the OS will refuse to let anything outside of localhost connect. This works well. ipfilter is available at http://coombs.anu.edu.au/~avalon/ip-filter.html ; I'm just a loyal user. You will, of course, want to scan your systems for snmp listeners. The best way to do this is nmap. The command: nmap -sU -p 161 10.0.0.1-255 will reasonably reliably display which hosts will accept *some* form of community string in exchange for data on the 10.0.1.0/24 subnet. Excellent stuff. Hope this helps! Yours Truly, Dan Kaminsky
Current thread:
- (U) Exploiting Poor SNMP Security Morrow Dana TSgt AMC CSS/NOSA (Dec 15)
- Re: (U) Exploiting Poor SNMP Security Dan Kaminsky (Dec 16)
- Re: (U) Exploiting Poor SNMP Security Kurt Grutzmacher (Dec 18)
- Re: (U) Exploiting Poor SNMP Security Paul Cardon (Dec 18)
- Re: (U) Exploiting Poor SNMP Security Dan Kaminsky (Dec 16)