Reset Search
 

 

Article

How to prevent SNMP: Auth. failure, intruder IP messages from filling up the device log?

« Go Back

Information

 
TitleHow to prevent SNMP: Auth. failure, intruder IP messages from filling up the device log?
Question
This article relates to users continuously seeing the following intruder messages that clutter the device log:

Nov 28 11:17:18:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:15:31:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:15:05:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:14:52:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:14:50:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:14:03:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:13:55:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:13:53:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:13:45:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:13:14:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:13:08:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Nov 28 11:13:04:I:SNMP: Auth. failure, intruder IP: 69.175.126.170
Environment
Answer
These logs indicate that something is trying to access the device via SNMP. The messages may be useful in order to identify any malicious attacks. However if the user would like tostop the messages from appearing in the log,users can try the following options:

1. Create a receive access-list. rACLs are used to preventcpu bound traffic that is trying to access any in-bandIPaddress on the switch. Below is an example that blocks all SNMP traffic. Please note, users will want to adjustthe access-list to permit legitimate SNMP traffic depending on the application:

access-list 100 deny udp any any eq snmp
access-list 100 permit ip any any
ip receive access-list 100 sequence 10


Note(s):
  • If editing an existing ACL, remember to rebind theACL to the interfaceswith the commandip rebind-acl <acl name>
  • rACLs are never applied on the out-of-band management port. If needingto apply this on an out-of-band management port, please go to the management interface and apply the ACLinbound.
2. Starting with 5400a code, there is a command to stop these commands from showing in the log. This does not block the traffic like an ACL as itonly prevents the messages from appearing in the log. Please use the commandno logging enable snmp-auth-failure to use this feature.

Note(s):
  • Users may see aggressive SNMPprobes from the followingpublicinternet IPaddresses:
69.175.126.170
184.154.42.194
173.236.44.98
69.175.54.106
173.236.30.122
96.127.150.218
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255