The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Metrics scan failed for SNMP

Discussion in 'Security' started by rezman, Dec 14, 2011.

  1. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Quote from their scan results
    1st. I'm currently running net-snmp-5.3.2.2-14.el5_7.1.x86_64. I did a yum and updated to this version but their scan still fails.
    2nd. I blocked both tcp/udp inbound in iptables ports 161:162 (still allow 127.0.0.1 however) and I can see packets have been blocked yet the scan still fails.

    I have searched the rpm -q --changelog net-snmp but can't find anything that I could send them to prove this is a false positive.

    I'm getting very annoyed with this company and the client is getting charged extra each week. Any input as to how I can fix this without having to uninstall the Munin Service Monitor?
     
  2. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    How are you blocking the UDP ports? Are you dropping all inbound UDP 161/162 traffic (excluding localhost as mentioned), or rejecting it, such as with an ICMP port unreachable message? I'm guessing they're flagging the service as still running because their traffic is being dropped with no response, which could indicate that the port is listening in some scanners.

    You may want to try rejecting their UDP 161/162 traffic with an ICMP port unreachable. More info on the ICMP types that can be used with iptables can be found using this command:

    # iptables -p icmp -h


    In regards to the output from their report, they mention CVEs from 2002. It should be more than sufficient to provide them with the output of "rpm -q net-snmp", which they can then check on their own to see when that version was released.

    So, you can maybe try to use iptables to trick their scanner into thinking that UDP 161/162 are closed, or perhaps they'll be responsive to the fact that the OS is most certainly not running SNMP services that are nearly 10 years old.

    Best of luck. I'd love to hear which option(s) you try, as well as what works and what does not.
     
  3. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    iptables rules that I'm using are:
    Result:
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT udp -- 127.0.0.1 0.0.0.0/0 udp spts:1024:65535 dpts:161:162
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:161:162 reject-with icmp-port-unreachable
    REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:161:162 reject-with icmp-port-unreachable


    I emailed the company with a dispute hoping they will accept it. We'll see how it turns out.
     
Loading...

Share This Page