APC and SNMP Attack

jpro
Mega Contributor

‎07-12-2012 04:39 PM

When discovery encounters our APC UPS devices it detects and adds the device. Then the administrators call due to the "Unauthorized" SNMP access attempts. I can see the credentials in the affinity table but it appears that each time there are five additional attempts during the discovery of each APC unit (and generating an e-mail to the admins for each).

I am not sure how to debug this issue and locate the cause. Is it possible that the sensor/probe has a portion that is not using the affinity table? The IP addresses are static so I understand during the first scan but thought subsequent scans would avoid the unauthorized attempts.

Any suggestions would be great.

Jim

Labels:
  • 3,599 Views
12 REPLIES 12

jpro
Mega Contributor
In response to jonprivatt

‎08-27-2012 07:09 AM

Jon:

We continue to have the same problem, including Berlin HotFix 3. While we turned off the "Public" cred check, the others wip through the affinity table- I was hoping for a timeout paramenter for snmp but there is none for the mid server.

jpro


0 Helpfuls

jonprivatt
Kilo Contributor
In response to jpro

‎08-27-2012 07:56 AM

We are still working the issue; I'm hoping there is a setting to get around this broken logic... without changing the community strings on over 8000 devices.

The network guys have been trying to track down some issues and we've been identified as interfering with their efforts.

So far, I've had to shut down 130 discoveries to help with their diagnoses.

We could very well be 100% OFF discovery before the week is out.


0 Helpfuls

sgrant
Kilo Contributor

‎05-09-2013 10:06 AM

I tested the credentials, on a small number of APC devices... It appeared to be successful, but when we ran the scan on a larger set of UPS devices, we saw exactly the same behaviour. I have tried re-ordering the credential order but it doesn't seem to make a difference. Every time an SNMP Discovery schedule is run, the network folks see a huge number of "unauthorized access attempt" alerts.

I was exploring using Credential Tagging, but that only applies to Runbook Activities, correct?

What about pre-populating the Credential Affinity table? has anyone tried that? did it make a difference at all?

thx
Sandy


0 Helpfuls

jesusemelendezm
Mega Guru

‎03-04-2015 09:01 AM

Did someone find the solution to this case? I am having the same issue with APC UPS. After configuring properly SNMP. It keeps alerting of   unauthorized attempts


0 Helpfuls

Marcel H_
Tera Guru

‎01-30-2019 02:39 PM

I’m actually having this issue right now on a London production instance. I’ve tested the credentials against the APC UPS and PDU devices, confirmed that an affinity is set with the correct SNMP credential, but any time a scheduled scan of the network that the devices are on occurs, network admins get a ton of alert emails and log entries. The message from the units is “System: Detected an unauthorized user attempting to access the SNMP interface from (MID Server IP)” It seems that the idea that Discovery isn’t waiting long enough before trying other credentials could be very possible. Is there a way to ensure that no others are used once affinity is set, or adjust the timeout period to be significantly longer?
0 Helpfuls