Open SNMP service used for an atack

  • Caros, alguém já recebeu está notificação do Cert.BR ?

    You appear to be running an open SNMP server at IP address 201.25.71.x that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.

    Please consider reconfiguring your SNMP-speaking device in one or more of these ways:

    • Block queries made by unauthorized addresses. This can be done with an ACL or other firewall rule.
    • Use a different query string than "public" and which cannot be easily guessed by a 3rd party.
    • Disable SNMP entirely.

  • Rebel Alliance Developer Netgate

    From the message it sounds like you have SNMP open on your WAN, which is bad. Don't do that. Fix your rules so only your SNMP server can reach the SNMP port, and never do that over a WAN as it's insecure.

  • @jimp Thank you. would you be able to exemplify how I can restrict WAN SNMP access via Firewall rules or ACLs?

  • Rebel Alliance Developer Netgate

    By default nothing is allowed in WAN, so one or more of your existing rules on the WAN must be allowing access to SNMP, assuming the report is legitimate.

    If you post a screenshot of your WAN rules then others here can look them over and help determine what is wrong.

  • @jimp I created this rule on the WAN (attachment) but I do not know if it is enough. Port 161 was released in the output table and deletes it.

    0_1537387029382_SNMP blocking.png

Log in to reply