Configuring SNMP on a Netopia R7220-T Router
To configure
SNMP
on a Netopia R7220-T router, take the following steps:
- From the main menu, select System Configuration.
Netopia R7220-T v4.6.2
Easy Setup...
WAN Configuration...
System Configuration...
Utilities & Diagnostics...
Statistics & Logs...
Quick Menus...
Quick View...
Return/Enter displays options for the system.
You always start from this main screen.From the System Configuration menu, select SNMP
(Simple Network Management Protocol)....
System Configuration
Network Protocols Setup...
Filter Sets...
IP Address Serving...
Date and Time...
Console Configuration...
SNMP (Simple Network Management Protocol)...
Security...
Upgrade Feature Set...
Logging...
Return/Enter to set up basic SNMP options (Community Strings, Traps, etc.).From the SNMP Setup window, specify the desired SNMMP configuration.
SNMP Setup
System Name:
System Location:
System Contact:
Read-Only Community String: public
Read/Write Community String:
Authentication Traps Enable: Off
IP Trap Receivers...
Configure optional SNMP parameters from here.
You can put in whatever name you would like to use for the router in the
System Name field, e.g. Netopia Router and then hit
Enter to advance to the next field, where you can specify the location,
e.g. 1020 Maple Street. Hit Enter to fill in the
System Contact field. The default read-only community string is
public. To prevent others from accessing information from the
router, you can provide another community string. You can provide a
read/write community string as well, if you like. If you want authentication
traps sent to another device, enable authentication traps and specify IP
trap receivers. Otherwise, you can leave these as is.
You can return to the main menu, if you wish, by hitting the
Escape key until to back up through the menus.
If you want a free program to monitor the router via SNMP from a Windows
system, try PRTG Traffic Grapher.
It is fairly straight-forward to set up and can even install its own
webserver on the system on which you install it. If you already have webserver
software running on the system on which you install it using port 80, PRTG
will automatically set up its own webserver at port 8080. Or you can choose
a different port, if you prefer. You can specify userids and passwords granted
access to the webserver, where the PRTG graphs are displayed.
[/hardware/network/router/netopia]
permanent link
FTP Attacks from 221.130.187.49 and 202.57.128.159
The system became unresponsive for a time. I ran
kripp and found two systems conducting FTP brute-force
password guessing attempts.
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: poiuyt [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: purple [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: ranger [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: 111111 [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: purple [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: ranger [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: 111111 [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: 123go [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: 000000 [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: Airhead [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: oracle [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: Braves [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: library [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: Sparky [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: linux [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: angela [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: unix [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: brandy [F]
ftp password :: frostdragon.com -> 202.57.128.159.sta.isp-thailand.com :: anna :: amanda [F]
ftp password :: frostdragon.com -> 221.130.187.49 :: james :: cindy [F]
I blocked the 221.130.187.49 system with route add 221.130.187.49 reject
. I then checked DShield to
learn if it has been observed attacking other systems. The
DShield report
for 221.130.187.49 showed it was first reported engaged in hostile
activity on 2008-02-11 and the last reported incident was today
2008-02-13. The IP address is a Chinese address. When I checked the
IP Details
for the ports the system was attacking, I found it was listed only
for port 21 attacks, i.e. FTP
attacks.
It was also listed at myNetWatchman.
The Incident
Detail report for that IP address at myNetWatchman showed the system
had been attacking other systems on port 21 and port 22 (SSH) as well from
February 5, 2008 onwards.
I then checked the second system attacking, which was
202.57.128.159.sta.isp-thailand.com. The IP address for it is 202.57.128.159.
Note: a reverse lookup on 202.57.128.159 yields a Fully Qualified Domain Name
(FQDN) of 202.57.128.159.sta.isp-thailand.com, but a forward lookup on
202.57.128.159.sta.isp-thailand.com does not yield an IP address.
I ran an nmap scan of it to see what operating system it was running. I got
the following results:
# nmap -P0 -O 202.57.128.159
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (1), OS detection may be less accurate
Interesting ports on 202.57.128.159.sta.isp-thailand.com (202.57.128.159):
(The 1588 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
80/tcp open http
111/tcp open sunrpc
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
199/tcp open smux
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
4444/tcp filtered krb524
8009/tcp open ajp13
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Nmap run completed -- 1 IP address (1 host up) scanned in 173 seconds
Visting http://202.57.128.159/ with
a browser showed "Welcome to web4.thaibestserver.net".
When I checked DShield for any reports
on hostile activity for that IP address, which is a Thai address,
I found it was first reported
engaged in hostile activity on 2008-02-08 with the most recent report
dated 2008-02-09 (see
IP Info
(202.57.128.159)). The
IP Details
202.57.128.159 report showed all of the incidents to be FTP attacks.
There was also an
Incident Detail report for it at
myNetWatchman, which also showed the system engaged in FTP attacks from
February 6 onwards.
I blocked it with route add 202.57.128.159 reject.
I also turned off the FTP service on the system, since it isn't needed
at the moment.
[/security/attacks]
permanent link
PrimoPDF Producing Zero Byte Files
I installed
PrimoPDF 3.0 on a system.
PrimoPDF provides free PDF converter software that will allow you to
"print" documents to a PDF file. After installing the software,
I could print to PDF files without a problem from the administrator account
from which I installed the software, but when I printed to a PDF file using
the PrimoPDF "printer", I would receive the error message below:
| Adobe Reader |
Adobe Reader could not open 'http.pdf' because it
is either not a supported file
type or because the file has been damaged (for example, it was sent as an
email attachment and wan't correctly decoded).
OK
|
When I checked the PDF files produced by PrimoPDF, I found they were always
zero bytes in size. When the files were being produced I would hear an
error beep.
An
Error after converting posting at the
PrimoPDF Forums, suggested giving the
Users group on the system full control of the directory into which PrimoPDF
is installed.
From the Windows Explorer, I right-clicked on the directory under
Program Files into which I had installed PrimoPDF and chose
Properties. I saw that the Users group had only read access, i.e. only
the read & execute, list folder contents, and read permissions were granted
to the Users group for that folder.
Note: you can use the cacls command to check permission from
the command line, e.g. cacls "\program files\primopdf", if
the installation directory was \program files\primopdf. You
will see BUILTIN\Users:(OI)(CI)R. The R at the
end indicates that the Users group on the system, to which all normal user
accounts belong, has only read access to that directory.
If you are logged into an account that is a member of the Administrators
group on the system, you can right-click on the directory and choose
Properties to reset the security permissions. Click on the
Security tab, then select the Users group under "group or user
names", then grant Full Control.
Since I was logged into a normal user account at the time I encountered
the problem and had a lot of windows open and didn't want to have to close
all of them, logoff, logon as an administrator, logoff, logon to my user
account again, and then reopen all of the applications and files I previously
had open, I used the cacls command to reset the permissions.
To use that method, you need to take the following steps, if you are currently
logged into an unprivileged user account.
- Open a command prompt window as the Administrator. On Windows XP systems,
you can do so by going to
C:\WINDOWS\system32\ and right-clicking
on cmd.exe while holding down the shift key (if you don't hold
down the shift key at the same time, you won't see the "run as" option). Then
select Run as. Click on The following user and put in
Administrator, or some other account with administrator access, for
the user name, and enter the appropriate password. Then hit Enter
or click on OK. A command prompt window will open with Administrator
credentials.
- Enter the command
cacls "\program files\primopdf" /E /G Users:F
to give all users of the system full control of the directory where you
installed PrimoPDF, presuming that you installed it in \program
files\primopdf. Granting full control of the directory means
they can add or delete files in that directory. The Users group will still
only have "read" access to the dll and exe files in the directory, though.
The /E means "edit the existing Access Control List (ACL)
rather than creating a new one and the /G grants access
for the account or accounts specified as a parameter. The F
at the end grants "full" access. You can enter cacls /?
for help with the cacls command. You will see something
like "processed dir: C:\program files\PrimoPDF", if the
command is successfully executed.
[/os/windows/software/pdf]
permanent link
