Logging Unauthorized SNMP Attempts

Logging Unauthorized SNMP Attempts

Problem

You want to log unauthorized SNMP attempts.

Solution

Use the following commands to configure your router to log unauthorized SNMP requests:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1
Router(config)#access-list 99 deny any log
Router(config)#snmp-server community ORARO ro 99
Router(config)#snmp-server community ORARW rw 99
Router(config)#end
Router#

Discussion

If you are concerned about unauthorized access to SNMP services on your router, it can be quite useful to configure the router to maintain detailed records of every failed request. These verbose log messages can provide information on incorrectly configured management servers as well as malicious (or just plain nosy) users.

Simply adding the keyword log to the deny any line in your access-list instructs the router to log all unauthorized SNMP attempts.

The following command will display the status of your SNMP access-list:

Router#show access-list 99
Standard IP access list 99
permit 10.1.1.1 (1293 matches)
permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches)
deny any log (17 matches)
Router#

Unlike the example shown in Recipe 17.6, the show access-list output now includes the log keyword on the deny any line. The router will now send information on every unauthorized SNMP request to the logging facility (see Chapter 18 for more information on logging). Use the show logging EXEC command to view the router's internal logging buffer:

Router#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 26 messages logged
Logging to: vty2(0)
Buffer logging: level debugging, 49 messages logged
Trap logging: level informational, 53 message lines logged
Logging to 172.25.1.1, 53 message lines logged
Logging to 172.25.1.3, 53 message lines logged

Log Buffer (4096 bytes):
Apr 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet
Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets
Router#

This example shows that access-list 99, our SNMP access-list, has denied access attempts by two IP source addresses, 192.168.22.13 and 10.121.212.11, respectively. You can see that the final logging entry shows that the ACL denied three packets from source address 10.121.212.11. Note that every packet received doesn't result in a separate log entry. If you are building a custom script to extract failed SNMP attempts, you will need to keep this in mind.

See Also