Junos OS

Expand all | Collapse all

unauthorized SNMP community

Jump to Best Answer
  • 1.  unauthorized SNMP community

    Posted 09-24-2020 02:35

    Hi guys,

     

    I have a short question.

    Can I block an unauthorized SNMP community like this:

     

    SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 10.54.10.250 to 255.255.255.255 (public)

     

    This entry are allwas in my log and so i must scroll to see the important entrys.

     

    THX



  • 2.  RE: unauthorized SNMP community

    Posted 09-24-2020 02:37

    Hi,

     

    U want filter that log or u want do firewall filter from attempt your device?

     

     

    Thanks



  • 3.  RE: unauthorized SNMP community

     
    Posted 09-24-2020 02:39

    You can write match rules to prevent certain logs like this from writing to file or sending to syslog.  This kb outlines the process.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382

     



  • 4.  RE: unauthorized SNMP community

    Posted 09-24-2020 03:47

    Hi,

    i do not know realy whht is the better way for me.

    I think it is better to make a FW Filter to block this unauthorized community, what do think about it?

    When i make a filter then are my lop clean for the important messages.



  • 5.  RE: unauthorized SNMP community
    Best Answer

     
    Posted 09-24-2020 04:02

    Hi Thomas,

     

    I'd suggest you to create a firewall filter and bind this to the lo0 interface. This is also called a control plane protection filter. You can find some help inside this Juniper day one book:

     

    https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip

     

    The whole book is important, but if you just want to protect the Routing Engine, then you can start directly at page 111.

    However, I'd really suggest you to read the whole book and make appropriate changes.



  • 6.  RE: unauthorized SNMP community

    Posted 09-24-2020 04:29

    Hi,

     

    thanks for the book, i would read it.

    Can you make me an example for my ipadresse so I can better understand what the book mean...



  • 7.  RE: unauthorized SNMP community

     
    Posted 09-24-2020 04:38

    This example is just for securing SNMP. Please note that this single filter is not enough, as it would discard ALL other traffic (SSH, RADIUS, Routing Protocols, ...) and make you device dead, so you need to adapt your RE protection with the help of the mentioned book.

     

    set snmp community "<your SNMP community>" authorization read-only

    set snmp community "<your SNMP community>" clients <the IP address which is allowed to query your Router>

     

    set policy-options prefix-list snmp-servers apply-path "snmp community <*> clients <*>"

     

    set firewall family inet filter protect-re term allow-snmp from source-prefix-list snmp-servers

    set firewall family inet filter protect-re term allow-snmp from protocol udp

    set firewall family inet filter protect-re term allow-snmp from destination-port snmp

    set firewall family inet filter protect-re term allow-snmp then accept

     

    set firewall family inet filter protect-re term default-deny then discard



  • 8.  RE: unauthorized SNMP community

    Posted 09-30-2020 01:08

    Good morning guys,

     

    I have read the book and it is very good for my company.

    In chapter 2 I want to set set my system port console log-out-on-disconnect.

     

    By my MX960 I can do it.

    By  my other MX 80 and Mx 104 i can only disable the ports and not by disconnect, why.

    The Version is 17.R4

     

     



  • 9.  RE: unauthorized SNMP community

     
    Posted 09-30-2020 14:18

    Hello Thomas,

     

    Some platforms do not support this "log-out-on-disconnect" command, as the internal chip which handles this behavior is on some platforms too old or not designed for this.

    At least for MX80 this is true:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/console-edit-system-ports.html

     

    "The log-out-on-disconnect option is not operational on MX80 routers. On MX80 routers you must manually log out from the console with the request system logout u0 command."