All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to prevent server being used in SNMP amplification attack with sonicboxes.com script?
Hello, one of my VPS's has been nullrouted by the datacenter for being used in an "SNMP reflection attack", how can I prevent the SNMP server on this server being used like this? I have also had another dedicated serve IP nullrouted by the same datacenter, but not at any other provider.
I have even edited the snmpd config as @kcaj suggested so only one IP is allowed, does anyone else have any ideas? I have used the script from https://www.sonicboxes.com/observium-client-install-script, and edited the config as follows (216.100.100.100 is the IP of my observium server, replaced for obvious reasons).
com2sec readonly 216.100.100.100 40pluscharacterstring
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
syslocation Los Angeles, CA
syscontact *****@gmail.com
#This line allows Observium to detect the host OS if the distro script is installed
extend .1.3.6.1.4.1.2021.7890.1 distro /usr/bin/distro
Your machine has been used as part of an SNMP reflection attack, and we have null routed the source IP xx.xx.xx.xx. We will continue to monitor this situation, the null route may remain in place for up to 4 hours. Restricting access to your SNMP enabled devices can help prevent this issue from occurring.
Comments
iptables port 161, only allow access from individual IPs that need to have access.
Just use iptables to lock that port down, to that IP if something dosent works.
I have nearly the same config as you, never had any issues or something like that.
Yes, both times on CC
I restarted snmpd, and restarted the server since this happened.
I will try iptables, thank you all.
>
Done.
Cheers!