H

2 Messages

 • 

84 Points

Mon, May 17, 2021 4:29 AM

How can I make it invisible SNMP: Auth. failure, intruder IP log message on ICX

*Here is an example of a logs contains SNMP authentication failure.

Apr 20 14:47:03:I:SNMP: Auth. failure, intruder IP:  104.206.128.xx
Apr 20 14:10:13:I:SNMP: Auth. failure, intruder IP:  170.130.187.xx
Apr 20 14:03:04:I:SNMP: Auth. failure, intruder IP:  104.140.188.xx
Apr 20 13:57:19:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 13:20:25:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 13:14:32:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 13:01:18:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 11:53:57:I:SNMP: Auth. failure, intruder IP:  104.206.128.xx
Apr 20 11:19:51:I:SNMP: Auth. failure, intruder IP:  185.94.111.xx
Apr 20 11:12:41:I:SNMP: Auth. failure, intruder IP:  185.94.111.xx
Apr 20 10:54:25:I:SNMP: Auth. failure, intruder IP:  185.94.111.xx

This is not simply a failed log, but an unspecified user keeps trying.

So I applied the snmp access-list, but the same log occurs.

Even if snmp-client is configured, only the log message is changed by rejection, but it still occurs.

The "no logging enable snmp-auth-failure" command has been added to extreme switches that have the same roots as the Brocade ICX OS.

Are there any similar or identical features in Ruckus ICX? Please give me some advice on how to stop it.

Responses

Accepted Solution

Employee

 • 

12 Messages

 • 

232 Points

1 m ago

Hello hwang_chimyung

I would like you to try with the command 'no snmp-server enable traps authentication'

Please let us know the results.

--

Orlando Elias

Ruckus TAC

2 Messages

 • 

84 Points

1 m ago

Hello orlando_elias

That's a great answer

Thank you so much

I solved it through that setting 👍

Even if the function is disabled, Are there any additional considerations?

(edited)

Employee

 • 

12 Messages

 • 

232 Points

Hello hwang_chimyung

I'm happy to know it worked!

I would just consider the load this rough traffic could represent to your network. If these are known IP addresses I'd try to disable from its source any continuous scanning to any SNMP hosts.

If we don't know them, then we should apply ACL in the firewall to prevent such traffic into your network.

I'm happy to help :)

--

Orlando Elias

Ruckus TAC

Important Announcement