SNMP port scan

Snort caught 184.105.139.67 doing SNMP scans of some kind, against my Linodes. Not sure if it's related to some recent SNMP vulnerability, just FYI make sure port 161 isn't available to the public unless you have a good reason for it.

3 Replies

I find it's easier and more secure to whitelist the ports you need than to blacklist the ones you don't. It's definitely simpler to configure iptables that way. Here's the output of iptables-save on one of our web servers:

# Generated by iptables-save v1.4.7 on Tue Mar 18 15:42:25 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4195393:2121601563]
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT 
-A INPUT -i lo -m comment --comment "001 accept all to lo" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "002 accept SSH" -j ACCEPT 
-A INPUT -m comment --comment "003 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "010 accept HTTP" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 443 -m comment --comment "011 accept HTTPS" -j ACCEPT 
-A INPUT -m comment --comment "999 drop all other requests" -j DROP 
-A FORWARD -m comment --comment "000 drop forwarded packets" -j DROP 
COMMIT

I didn't (and don't) have my SNMP port open, did you read my comment that way? I was recommending to others that they might want to not have it open. And yeah, I would hope most people start with all closed then open what they need.

It looks like that IP address is used by the Shadowserver Foundation, from whois info. From their site, it looks like they're scanning for people running open SNMP daemons to help ISPs combat DoS attacks at the source. That said, you shouldn't have a public facing SNMP daemon anyway :).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct