Header Only - DO NOT REMOVE - Extreme Networks
Question

Disable SNMP authentication fail message


Userlevel 4
Create Date: Mar 6 2013 8:01PM

Hi guys this message is filling up my syslog database "SNMP.Master: : Login failed through SNMPv1/v2c - bad community name" is there anyway that i can block a this message from generating a syslog message. Or block an ip from trying to connect throuch snmp to my switch? (from Samueltechking)

7 replies

Userlevel 4
Create Date: Mar 6 2013 9:25PM

Apply a filter to your log config - the syntax is a bit complex so I'd say just search the concepts guide for it. I'd also apply an access-list to your SNMP service (as well as any other management services you run, like SSH or telnet) like so:

Policy: ManagementAccess
entry AllowTheseSubnets {
if match all {
source-address x.x.x.x /yy ;
}
then {
permit ;
}
}

This will cause a different log message to show up when it denies access, so be sure to filter that one as well. (from Ansley_Barnes)
Userlevel 4
Create Date: Mar 7 2013 2:28PM

To create a log filter you need to run the command:
configure log filter "DefaultFilter" add exclude events SNMP.Master.AuthFail

That will stop those message from occurring. However, those messages have an IP address in them from the source that is approaching the switch with "bad" community name. Have you checked what that IP address is? (from ethernet)
Userlevel 4
Create Date: Mar 7 2013 4:25PM

ansleybarnes wrote:
Apply a filter to your log config - the syntax is a bit complex so I'd say just search the concepts guide for it. I'd also apply an access-list to your SNMP service (as well as any other management services you run, like SSH or telnet) like so:

Policy: ManagementAccess
entry AllowTheseSubnets {
if match all {
source-address x.x.x.x /yy ;
}
then {
permit ;
}
}

This will cause a different log message to show up when it denies access, so be sure to filter that one as well. I should note that the access-list doesn't have anything to do with the log messages - it's just a good idea to prevent management traffic from unauthorized sources from hitting the switch in the first place.

(from Ansley_Barnes)
Userlevel 4
Create Date: Mar 7 2013 4:46PM

ansleybarnes. You bring up a great point. It is definitely a best practice to configure a policy where you only allow a specific IP (or IPs) to talk to the switch via SNMP. The same goes for telnet and SSH access. (from ethernet)
Userlevel 4
Create Date: Mar 8 2013 12:18AM

Thanks it worked. Yes it has an IP address. Its one of my coworker's computer running spiceworks. (from Samueltechking)
Userlevel 4
Create Date: Mar 8 2013 12:20AM

Thanks for your help. I didnt use this option because im not good at cofiguring acls on extreme switches. The syntax is a bit difficult but you are right its better to block it completely. Filtering the syslog is just hiding the problem. (from Samueltechking)
Userlevel 4
Create Date: Mar 11 2013 12:13AM

ACLs can be a bit intimidating, but applying the management policy files is pretty easy. You can copy/paste the one I put up above, changing the IP info so it's applicable of course, save it (in this example as ManagementAccess) then enable it like so:

enable ssh2 access-profile ManagementAccess vr "VR-Default"
configure snmp access-profile ManagementAccess

That'll help boost your management security without complicating things.

(from Ansley_Barnes)

Reply