snmpTerkadang server monitoring system yang menggunakan SNMP akan mengeluarkan false alarm service down. Biasanya perkara ini berlaku akibat daripada UDP flood pada service SNMP. Server tidak down tetapi disebabkan oleh port tersebut flood, maklumat yang perlu ditarik oleh monitoring server tidak dapat dicapai. False alarm boleh menyebabkan kerugian masa dan salah tafsir kerana server yang dianggap down sebenarnya tiada masalah.

Contoh SNMP DDOS:

[bash]

root@svr29 [~]# tail -f /var/log/messages | grep “Connection from UDP”
Nov 11 10:42:47 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:50 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:43:31 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:45655
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41150

[/bash]

Halang IP dengan CSF Firewall

[bash]
root@svr29 [~]# csf -d 201.229.x.x
root@svr29 [~]# csf -d 24.201.x.x
[/bash]

Lepas tu pastikan cuma ip dari monitoring server connect ke snmp

[bash]
root@svr29 [~]# tail -f /var/log/messages | grep “Connection from UDP”
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:40872
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:55844
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41199
[/bash]

*Update
Ada cara nak allow hanya certain IP akses snmp guna /etc/hosts.allow. Firewall tidak diperlukan.
Contoh setting dalam /etc/hosts.allow

[bash]
.
.

#snmpd
snmpd : 103.x.x.x : allow
snmpd : ALL : deny

[/bash]

Log yang akan keluar apabila buat setting macam ni:

[bash]
Nov 15 11:19:05 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8699 REFUSED
Nov 15 11:19:06 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:19461 REFUSED
Nov 15 11:19:08 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8920 REFUSED
Nov 15 11:19:09 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:41155 REFUSED
[/bash]

*Artikel ini adalah daripada terjemahan.

 

By admin

One thought on “Cegah false alarm snmp monitoring server kerana DDOS port UDP”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enable Notifications.    Ok No thanks