Logging Unauthorized SNMP Attempts

Problem

You want to log unauthorized SNMP attempts.

Solution

Use the following commands to configure your router to log unauthorized SNMP requests:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1
Router(config)#access-list 99 deny any log
Router(config)#snmp-server community ORARO ro 99
Router(config)#snmp-server community ORARW rw 99
Router(config)#end
Router#

 

Discussion

If you are concerned about unauthorized access to SNMP services on your router, it can be quite useful to configure the router to maintain detailed records of every failed request. These verbose log messages can provide information on incorrectly configured management servers as well as malicious (or just plain nosy) users.

Simply adding the keyword log to the deny any line in your access-list instructs the router to log all unauthorized SNMP attempts.

The following command will display the status of your SNMP access-list:

Router#show access-list 99
Standard IP access list 99
 permit 10.1.1.1 (1293 matches)
 permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches)
 deny any log (17 matches)
Router#

Unlike the example shown in Recipe 17.6, the show access-list output now includes the log keyword on the deny any line. The router will now send information on every unauthorized SNMP request to the logging facility (see Chapter 18 for more information on logging). Use the show logging EXEC command to view the router's internal logging buffer:

Router#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
 Console logging: disabled
 Monitor logging: level debugging, 26 messages logged
 Logging to: vty2(0)
 Buffer logging: level debugging, 49 messages logged
 Trap logging: level informational, 53 message lines logged
 Logging to 172.25.1.1, 53 message lines logged
 Logging to 172.25.1.3, 53 message lines logged
 
Log Buffer (4096 bytes):
Apr 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet
Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets
Router#

This example shows that access-list 99, our SNMP access-list, has denied access attempts by two IP source addresses, 192.168.22.13 and 10.121.212.11, respectively. You can see that the final logging entry shows that the ACL denied three packets from source address 10.121.212.11. Note that every packet received doesn't result in a separate log entry. If you are building a custom script to extract failed SNMP attempts, you will need to keep this in mind.

See Also

Recipe 17.1; Recipe 17.6; Chapter 19

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net