[jamesr@rd.bbc.co.uk: Warning: Cisco RW community backdoor.]
----- Forwarded message from "James A. T. Rice" <jamesr(a)rd.bbc.co.uk> ----- Date: Tue, 27 Feb 2001 00:39:38 +0000 (GMT) From: "James A. T. Rice" <jamesr(a)rd.bbc.co.uk> X-Sender: <jamesr(a)inet15> To: <members(a)lonap.net>, <ops(a)linx.net> Subject: Warning: Cisco RW community backdoor. Precedence: bulk If your router responds to `snmpwalk router.isp.net.uk ILMI`, you probabally will want to do the following to disable it: conf t snmp-server community ILMI RO 99 access-list 99 deny any log (pick another spare access-list if 99 isn't available) If you dont, assuming your ios/hardware combination supports it, (most of the bigger routers do) anyone can do things like: `snmpset router.isp.net.uk ILMI system.sysName.0 s \ "ALL YOUR ROUTER ARE BELONG TO US."` Thats a harmless example. You can do almost anything with RW snmp. Warm Regards James -- James A. T. Rice | Email: jamesr(a)rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. ----- End forwarded message ----- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Unless you have IOS 11.1 where this doesn't work :) "no snmp-server" seems to work -- of course you loose snmp completely. Perhaps there are lesser measures for those with more time to experiment? --cw ----- Forwarded message from "James A. T. Rice" <jamesr(a)rd.bbc.co.uk> ----- If your router responds to `snmpwalk router.isp.net.uk ILMI`, you probabally will want to do the following to disable it: conf t snmp-server community ILMI RO 99 access-list 99 deny any log (pick another spare access-list if 99 isn't available) -- Chris Wedgwood chris.wedgwood(a)clear.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, 27 Feb 2001, Chris Wedgwood wrote:
Unless you have IOS 11.1 where this doesn't work :)
"no snmp-server"
11.2 seems to require the same treatment. David Robb --- Senior Network Engineer IHUG NZ "The Earth is a single point of failure" --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Hmm, I wonder if access listing the ILMI community will break CWSI Campus discovery? It uses CDP and ILMI to discover neighbouring devices. Never a dull moment.... :-) --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (4)
-
Chris Wedgwood -
David Robb -
Gordon Smith -
Joe Abley