Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
Andrew Cutler wrote:
]
]Correct me if I read this wrong but the attacker has to guess the SNMP
]community name, so unless it's left as default it's going to be pretty hard
]to find. IMHO if you leave a system open to the internet with defaults you're
]begging for trouble.
I personally agree with this completely, but I guess the complaint is
that by default snmp write is enabled, with a default community name....
as opposed to hardware that has it disabled by default, so if you
know nothing about snmp your safe without changing anything.
by the way, I also wanted to add one more thing... Of course this
still doesn't help people who aren't aware of snmp and don't change
the defaults, but I *HIGHLY* recommend setting
ethernet -> mod config -> snmp options -> Security=Yes
and then explicitly listing the RD & WR managers. That way even
with the community names, the snmp queries will only be accepted
from those defined locations. snmp isn't all that secure...
community names are passed on the network in clear text...so
anyone with access to a network that your snmp packet is traversing
can easily pick up your community names. But at least by doing
the above, they will also have to spoof your IP address in order to
use the community names to do any damage.
___________________________________________________________________________
Joe Pautler, E.I.T. University at Buffalo
CIT/OSS Network Engineering 224 Computing Center
http://www.oss.buffalo.edu/~pautler (716) 645-3536
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: