Home » Linux

Cara nak cegah false alarm pada snmp monitoring server disebabkan oleh DDOS pada port UDP

11 June 2017 No Comment

snmpTerkadang server monitoring system yang menggunakan SNMP akan mengeluarkan false alarm service down. Biasanya perkara ini berlaku akibat daripada UDP flood pada service SNMP. Server tidak down tetapi disebabkan oleh port tersebut flood, maklumat yang perlu ditarik oleh monitoring server tidak dapat dicapai.

Contoh SNMP DDOS:


root@svr29 [~]# tail -f /var/log/messages | grep "Connection from UDP"
Nov 11 10:42:47 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:50 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:43:31 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:45655
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41150

Halang IP dengan CSF Firewall

root@svr29 [~]# csf -d 201.229.x.x
root@svr29 [~]# csf -d 24.201.x.x

Lepas tu pastikan cuma ip dari monitoring server connect ke snmp

root@svr29 [~]# tail -f /var/log/messages | grep "Connection from UDP"
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:40872
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:55844
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41199

*Update
Ada cara nak allow hanya certain IP akses snmp guna /etc/hosts.allow. Firewall tidak diperlukan.
Contoh setting dalam /etc/hosts.allow

.
.

#snmpd
snmpd : 103.x.x.x : allow
snmpd : ALL : deny

Log yang akan keluar apabila buat setting macam ni:

Nov 15 11:19:05 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8699 REFUSED
Nov 15 11:19:06 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:19461 REFUSED
Nov 15 11:19:08 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8920 REFUSED
Nov 15 11:19:09 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:41155 REFUSED

 



Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.