TAC Xenta Server SNMP settings - Changing and disabling

NOTICE

POTENTIAL FOR DATA LOSS.
The steps detailed in the resolution of this article may result in a loss of critical data if not performed properly. Before beginning these steps, make sure all important data is backed up in the event of data loss. If you are unsure, please contact Product Support Services prior to attempting the procedure below.

Issue

There's no clear guidance on how to handle the SNMP settings for TAC Xenta Servers

Product Line

TAC Vista

Environment

TAC Xenta Server

TAC XBuilder

SNMP

Cause

Previously the SNMP feature has not been widely used and has not been a security concern.

There are two types or flavors of SNMP. One is for browsing a device to get information about it (SNMP Agent), and the other is to automatically send alarms from a given device to a central alarm system (SNMP Alarm Trap).

Now according to reports from the field, IT departments are starting to get concerned about the SNMP feature in Xenta Servers. A general overview of how SNMP can be used maliciously for intrusion can be studied here.

Normally the IT department requests that:
[1] The default community string is changed
[2] SNMP is disabled

Here is an example of what you see when you browse a Xenta Server (having the correct Xenta Server mib file) using a SNMP browser such as "MIB Browser" from iResoning

 

Here is an example of alarms received from a Xenta Server via SNMP

Resolution

All (or most) SNMP settings are changed through TAC XBuilder

 

First step is to change the default community name. If the community name is either "private" or "public" (the latter is default), it can be browsed without knowing the name. You simply change the name in "Community Name" and "Trap Community Name". Download all project files to the Xenta Server afterwards.

 

Now when you try to browse the Xenta Server from the SNMP agent without first defining the community name, you will not be able to retrieve data.

 

Next, we can disable the SNMP Alarm Trap. Download all project files to the Xenta Server afterwards. After that, alarms will not be sent to the IP address configured.

 


Following here are advanced steps to change the ports used for SNMP (161 and 162)


If the settings described above are not enough, we can change the port number used for SNMP. This is however a little more complicated. You need to connect to the Xenta Server using FTP (Note that the FTP access may be disabled, refer to Article #5504 if unsure how to enable this), and fetch the following file: /sys/system/snmp.cfg

1: Open the file in notepad

2: Change the two port number as below - you can chose other port numbers, but it's crucial that they are not the same as any other ports used by the Xenta Server.

3: Upload the changed file to the same location on the Xenta Server

4: Download the project from TAC XBuilder, choosing to download all files

5: You now get this message

6: Here you must click "Target system" or the changed settings are overwritten

7: Note that the port numbers defined in XBuilder have not changed yet

8: Save the project and close XBuilder

9: Open the project again

10: You will now see that the port numbers have the value you defined in the file earlier

11: No when you try browsing the Xenta Server with a SNMP tool, you can no longer connect on the default port 161