DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

How to block SNMP from the WAN interface?

  • davidmatthewson
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
01 Apr 2014 10:36 #79523 by davidmatthewson
How to block SNMP from the WAN interface? was created by davidmatthewson
Hi

I have a couple of 2820 routers and I note I can 'see' the SNMP stats from the internet even though I have 'management from the internet' turned off. This is a bit worrying as any random user can see this sort of stuff:

Logs:
sysDescr: DrayTek Corporation, Router Model: Vigor2820 Series, Version: 3.3.7.3_232201, Build Date/Time:Sep 13 2012 19:09:39
sysUpTime: 1d 19h 58m 35s
sysContact: info@draytek.com
sysName: Ravens_Quay

which is not good news. The community strings are not set to 'public' but to a 'secret' name.

Can anyone suggest how I can block SNMP requests from the Internet from accessing the router? [I know I could just turn SNMP OFF but I use it for support internally.]

Thanks

David

Please Log in or Create an account to join the conversation.

More
01 Apr 2014 12:07 #79525 by sicon
Replied by sicon on topic Re: How to block SNMP from the WAN interface?
cant you just restrict 161/162 to the server that you want to access the SNMP data?

Please Log in or Create an account to join the conversation.

  • davidmatthewson
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
01 Apr 2014 14:23 #79530 by davidmatthewson
Replied by davidmatthewson on topic Re: How to block SNMP from the WAN interface?
Indeed. That works fine. If the ports are locked down under 'Management Host IP' to JUST the machine one wants to have access. I checked 'before & after' with the (free) Paessler SNMP test tool http://www.paessler.com/tools/snmptester which works well. The 'system up time' is a good quick guide to see if the entire Internet has SNMP access to your router or not! - sigh...

New Test

Paessler SNMP Tester 5.1.2
01/04/2014 13:44:07 (2 ms) : Device: xxx.68.8.30
01/04/2014 13:44:07 (4 ms) : SNMP V1
01/04/2014 13:44:07 (5 ms) : Uptime
01/04/2014 13:44:08 (762 ms) :

01/04/2014 13:44:08 (764 ms) : DISMAN-EVENT-MIB::sysUpTimeInstance = 1833140 ( 5 hours 5 minutes )
01/04/2014 13:44:09 (1530 ms) : HOST-RESOURCES-MIB::hrSystemUptime.0 = No Such Name (SNMP error # 2) ( 0 seconds )
01/04/2014 13:44:09 (1532 ms) : Done


The other tests give much more info on interfaces, traffic etc etc so not really a good idea to allow everyone access to. Exploiting this weakness would allow an attacker to use your SNMP service as part of an "amplification" denial of service attack. This type of attack uses address spoofing to flood the target with unwanted data, effectively taking it offline.

Opps...

David

Please Log in or Create an account to join the conversation.

More
01 Apr 2014 14:41 #79531 by sicon
Replied by sicon on topic Re: How to block SNMP from the WAN interface?
I see what you mean, that's a bit of a Bummer.
Might be worth logged a case with Draytek and see if you can lock it down.
Have you looked in the Cli there are extra options in there?

Please Log in or Create an account to join the conversation.

  • davidmatthewson
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
01 Apr 2014 15:48 #79532 by davidmatthewson
Replied by davidmatthewson on topic Re: How to block SNMP from the WAN interface?
I haven't looked at the CLI yet and yes, there are probably a whole load more options in there. But in the short term, I'd advise everyone to change to community string and lock down what ports SMNP responds to. Thanks for the advice about contacting Draytek - I'll do that and report back here what happens.

brgds

D

Please Log in or Create an account to join the conversation.

Moderators: Sami