[c-nsp] How to disable ILMI/SNMP CSCvs33325
Simon Leinen
simon.leinen at switch.ch
Tue Sep 20 08:54:23 EDT 2022
Gert Doering via cisco-nsp writes:
> Hi,
> On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote:
>> On 19/09/2022 15:40, Gert Doering wrote:
> https://www.cisco.com/c/dam/en/us/support/docs/csa/cisco-sa-20010227-ios-snmp-ilmi.html
> [..]
>> > That said, I tried to reproduce it on our boxes, and neither the ASR920
>> > nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
>> > "ILMI", with nothing in the config to block it (same source host can
>> > query with one of the configured SNMP communities). This is on IOS XE
>> > 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
>>
>> It is V3. Here is a Shodan snippet from one of dozens of alerts we get
>> per day:
> Good to know. Looking at shodan, I see that both types of devices here
> are listed as well (ewww!).
> So, need to figure out what the magic -v3 incantation of snmpget is
> to make this work... (every time I tried v3 so far has led to
> "more grey hair").
Yeah, I'd like to reproduce/understand that too. I actually remember
both ILMI (in ATM, sigh) and SNMPv3. One of SNMPv3's distinguishing
features is that it DOESN'T use community strings anymore. So I'm a bit
confused as to what the problem is. Is there some implicit mapping from
SNMPv1/2c communities to SNMPv3 usernames/passwords? Or are the Shodan
reports referring to information leaks from SNMPv3 engine-ID discovery?
(e.g. CSCtw74132)
Cheers,
--
Simon.
More information about the cisco-nsp
mailing list