Logging Unauthorized SNMP Attempts

Logging Unauthorized SNMP Attempts Problem You want to log unauthorized SNMP attempts. Solution Use the following commands to configure your router to log unauthorized SNMP requests: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255 Router(config)#access-list 99 permit host 10.1.1.1 Router(config)#access-list 99 deny any log Router(config)#snmp-server community ORARO ro 99 Router(config)#snmp-server community ORARW rw 99 Router(config)#end Router# Discussion If you are concerned about unauthorized access to SNMP services on your router, it can be quite useful to configure the router to maintain detailed records of every failed request. These verbose log messages can provide information on incorrectly configured management servers as well as malicious (or just plain nosy) users. Simply adding the keyword log to the deny any line in your access-list instructs the router to log all unauthorized SNMP attempts. The following command will display the status of your SNMP access-list: Router#show access-list 99 Standard IP access list 99 permit 10.1.1.1 (1293 matches) permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches) deny any log (17 matches) Router# Unlike the example shown in Recipe 17.6, the show access-list output now includes the log keyword on the deny any line. The router will now send information on every unauthorized SNMP request to the logging facility (see Chapter 18 for more information on logging). Use the show logging EXEC command to view the router's internal logging buffer: Router#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: disabled Monitor logging: level debugging, 26 messages logged Logging to: vty2(0) Buffer logging: level debugging, 49 messages logged Trap logging: level informational, 53 message lines logged Logging to 172.25.1.1, 53 message lines logged Logging to 172.25.1.3, 53 message lines logged Log Buffer (4096 bytes): Apr 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets Router# This example shows that access-list 99, our SNMP access-list, has denied access attempts by two IP source addresses, 192.168.22.13 and 10.121.212.11, respectively. You can see that the final logging entry shows that the ACL denied three packets from source address 10.121.212.11. Note that every packet received doesn't result in a separate log entry. If you are building a custom script to extract failed SNMP attempts, you will need to keep this in mind.