cancel
Showing results for 
Search instead for 
Did you mean: 

How can I make it invisible SNMP: Auth. failure, intruder IP log message on ICX

hwang_chimyung
New Contributor

*Here is an example of a logs contains SNMP authentication failure.

Apr 20 14:47:03:I:SNMP: Auth. failure, intruder IP:  104.206.128.xx
Apr 20 14:10:13:I:SNMP: Auth. failure, intruder IP:  170.130.187.xx
Apr 20 14:03:04:I:SNMP: Auth. failure, intruder IP:  104.140.188.xx
Apr 20 13:57:19:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 13:20:25:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 13:14:32:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 13:01:18:I:SNMP: Auth. failure, intruder IP:  147.203.255.xx
Apr 20 11:53:57:I:SNMP: Auth. failure, intruder IP:  104.206.128.xx
Apr 20 11:19:51:I:SNMP: Auth. failure, intruder IP:  185.94.111.xx
Apr 20 11:12:41:I:SNMP: Auth. failure, intruder IP:  185.94.111.xx
Apr 20 10:54:25:I:SNMP: Auth. failure, intruder IP:  185.94.111.xx

This is not simply a failed log, but an unspecified user keeps trying.

So I applied the snmp access-list, but the same log occurs.

Even if snmp-client is configured, only the log message is changed by rejection, but it still occurs.

The "no logging enable snmp-auth-failure" command has been added to extreme switches that have the same roots as the Brocade ICX OS.

Are there any similar or identical features in Ruckus ICX? Please give me some advice on how to stop it.

1 ACCEPTED SOLUTION

Orlando_Elias
RUCKUS Team Member

Hello hwang_chimyung

I would like you to try with the command 'no snmp-server enable traps authentication'

Please let us know the results.

With regards,
--
Orlando Elias
Technical Support

View solution in original post

3 REPLIES 3

Orlando_Elias
RUCKUS Team Member

Hello hwang_chimyung

I would like you to try with the command 'no snmp-server enable traps authentication'

Please let us know the results.

With regards,
--
Orlando Elias
Technical Support

hwang_chimyung
New Contributor
 

Hello hwang_chimyung

I'm happy to know it worked!

I would just consider the load this rough traffic could represent to your network. If these are known IP addresses I'd try to disable from its source any continuous scanning to any SNMP hosts.

If we don't know them, then we should apply ACL in the firewall to prevent such traffic into your network.

I'm happy to help 🙂

With regards,
--
Orlando Elias
Technical Support