snmpd.log

[screwloose]

Last week a server started logging this exception on a contious basis and am wondering if anyone has seen this or has an idea. This exception just started and never occurred before. They are claiming "no knowledge" of any changes.

06/01/04 14:06:31 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:33 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:33 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:36 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:38 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:40 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:42 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:44 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:46 EXCEPTIONS: authentication error: invalid community name: internal
06/01/04 14:06:48 EXCEPTIONS: authentication error: invalid community name: internal

 

[RodKnowlton]

I'd expect to find that someone just started running some sort of (probably networking equipment) monitoring software on their PC that promised them "automatic discovery of devices", it found your server listening to SNMP traffic, so keeps trying to query it.

Or...you have an unauthorized entity using similar software.

Since the source ip isn't logged, you'll need a sniffer to find the source if no one will claim responsibility. If it is a friendly party, be sure to tell them that "internal" is a horribly insecure community name. For that matter, no community name is going to be secure if they're going to connect to every snmp port in creation and tell it the name.


If you're not using SNMP, you can turn it off with "stopsrc -s snmpd" and keep it from being started at boot by commenting out its line in /etc/rc.tcpip.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L

 

[screwloose]

Thanks, Rod. They are checking with a software developer to see if any changes they made in the last couple of weeks is the cause. They claim no networking monitoring change was made (which was my first thought.)

I want to stop snmp, because it isn't being used, but am not able to do that.

 

[RodKnowlton]

AAarrrgh!!

Do you have anyone with authority that cares about security and would understand the phrase "disable unneccesary network services"?

Also curious: Are your software develops actually working on SNMP software of some sort? Otherwise, it seems much more likely that you've got someone snooping around than an unintended side effect of a software change.

[heavysarcasm]
It must be great to have the responsibility of monitoring logs without the authority to do anything about what you find.
[/heavysarcasm]

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L

 

[screwloose]

One of my first tasks I did when I started with this company was to identify all open ports and which application was using a port and which ports were unnecessarily open. I turned this into my manager with a recommendation to close the unused/unneeded ports. It met trash can.

Now the company is moving from AIX to Solaris (ahem!) and there was a task to identify all ports that should be closed. My coworker agreed to take on this task. I have no faith in this effort due to this anecdote from meeting on ports: Person A said: “echo can be closed because it shouldn’t be used.” Coworker: “No, the DBA’s use the echo command frequently in their scripts.” Person A: “DBA’s use echo?” Coworker: “Yes, it is used in most of their scripts.”

Yes, my coworker was saying the DBA’s use the echo shell command in their scripts – which they do – and is thinking the echo shell command is the same as the ICMP echo. Needless to say, I don’t think the servers will be secured properly.

And really, I have no authority to do anything. No recommendations that I make are ever acted upon other than hearing, “that is a good idea.”

My manager wanted me do something a month ago and I asked him a question in an email. A few days later a coworker asked me if that was done. I said, “no, our manager never replied in an email or voice mail or in person. So I haven’t done it.” He went to the manager and asked, got the answer, and I did it.

Time to move on, I am thinking (strongly!)

 

[screwloose]

One of my first tasks I did when I started with this company was to identify all open ports and which application was using a port and which ports were unnecessarily open. I turned this into my manager with a recommendation to close the unused/unneeded ports. It met trash can.

Now the company is moving from AIX to Solaris (ahem!) and there was a task to identify all ports that should be closed. My coworker agreed to take on this task. I have no faith in this effort due to this anecdote from meeting on ports: Person A said: “echo can be closed because it shouldn’t be used.” Coworker: “No, the DBA’s use the echo command frequently in their scripts.” Person A: “DBA’s use echo?” Coworker: “Yes, it is used in most of their scripts.”

Yes, my coworker was saying the DBA’s use the echo shell command in their scripts – which they do – and is thinking the echo shell command is the same as the ICMP echo. Needless to say, I don’t think the servers will be secured properly.

And really, I have no authority to do anything. No recommendations that I make are ever acted upon other than hearing, “that is a good idea.”

My manager wanted me do something a month ago and I asked him a question in an email. A few days later a coworker asked me if that was done. I said, “no, our manager never replied in an email or voice mail or in person. So I haven’t done it.” He went to the manager and asked, got the answer, and I did it.

Time to move on, I am thinking (strongly!)