Hi, On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote: > On 19/09/2022 15:40, Gert Doering wrote: > > On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp > > wrote: > >> Recently Shodan has been showing how it probes all our IOS-XE routers > >> via SNMP even though we have an ACL on all our SNMP. We then found that > >> there is a bugid on the issue (ILMI can't be blocked by ACL): > >> CSCvs33325 > > > > Is that still a thing? Insane. > Indeed.
Just for reference, here's the 2001 bug. With full PSIRT "get free software upgrade" parts... https://www.cisco.com/c/dam/en/us/support/docs/csa/cisco-sa-20010227-ios-snmp-ilmi.html [..] > > That said, I tried to reproduce it on our boxes, and neither the ASR920 > > nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community > > "ILMI", with nothing in the config to block it (same source host can > > query with one of the configured SNMP communities). This is on IOS XE > > 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra. > > It is V3. Here is a Shodan snippet from one of dozens of alerts we get > per day: Good to know. Looking at shodan, I see that both types of devices here are listed as well (ewww!). So, need to figure out what the magic -v3 incantation of snmpget is to make this work... (every time I tried v3 so far has led to "more grey hair"). thanks for the heads up gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/