Detected an unauthorized user attempting to access the SNMP interface

DCIM_Support · ‎2020-07-03

We have couple of and different type of APC ATS/UPS/PDU device with network communication. E-mail notification has been configured to send alerts in case of a problem.

Corporate network has been scanned with different tools which are mostly using SNMP protocol. APC devices are flooding recipients with e-mail alerts such as the following:

Detected an unauthorized user attempting to access the SNMP interface from <IP address>

Devices are also monitored by DCE.

How can I configure devices to not send e-mail alerts because of network discovery scans?

I tried the following changes in devices configuration without any success:

Administration -> Network -> SNMPv1 -> access control: public community name used by scanning tool and also added the server IP to NMS IP/Host Name
Administration -> Notification -> SNMP Traps -> Trap receiver : trap generation has been enabled and scan server IP added to NMS IP/Host Name. Public SNMPv1 has been used.

DCIM_Support · ‎2020-07-03

Hi Mate,

Editing events in DCE is not always that easy. I suggest manually editing one device using it's UI as noted above. When you do this, make note of the event number. For this one, I noted the following:

Detected an unauthorized user attempting to access the Control Console interface.[0x0005]

Once you've done that, go to APC SNMP device configuration.

Choose standard device configuration settings.

Choose configure devices or create a template.

Find the device you've just configured, select it and choose retrieve device settings.

Choose your destination devices.

Next, make sure all settings are unchecked. To be sure, maybe even select all and unselect all.

Click the > next to advanced settings, then the > next to event action config

You should see the events with the codes (not names) but since you noted the code when configuring it, this should not be an issue:

Select the proper event (E0005 in this case) and hit next.

At this point, either save the template or configure the devices.

Steve

See Answer In Context

DCIM_Support · ‎2020-07-03

Hi Mate,

Your first best bet would be to stop the scanning with incorrect credentials. If you must turn it off, verify if it is coming from the network card in the device or StruxureWare. If it is the device, you can use the following menus on a 6.x firmware to configure specific events. Choose "By Event":

For this specific event, choose security:

You then have a number of options:

If you're using StruxureWare but getting events from the device, you can mass configure devices to exclude that event. If you're not using StruxureWare, you can configure one device then download the config.ini file from that device. You can then upload just that section to the other APC devices. K-base FA176542 may be helpful if you're not sure how to do that.

Thanks,

Steve

DCIM_Support · ‎2020-07-03

Hi Steven,

Thanks for your quick response. I know that I can turn off notification and/or log for that particular event however from do it DCE in batch was new for me. I would like to use this option at last.

You mentioned credential but what kind of credential is in use if we are talking about SNMP v1/v2?

Scan is using the "public" SNMP community name.

DCIM_Support · ‎2020-07-03

Mi Mate, If a system is scanning using just the one community name that is turned on in the NMC AND that community name does not have an IP associated with it, you should not get that error. Note that the community name config on the NMC can have an associated NMS IP. Most SNMP scans from other systems will scan an entire segment with one community name, then again with another, and so on. If you look at the logs on the NMC, it will tell you what system is doing this poll...just in case it is a system you're not expecting it from. Steve

DCIM_Support · ‎2020-07-03

And the default 0.0.0.0 IP at SNMP setting means that NMC can accept request from every IP address? In that case I do not really understand how DCE monitoring APC devices via SNMP. In that case devices are not generating alerts.

DCIM_Support · ‎2020-07-03

Hi Mate, Yes, 0.0.0.0 means any system can use that community name to poll that device. I'm unsure what you mean with your second statement. In that case devices are not generating alerts. This is indicating you're NOT getting messages? Are you saying the event is saying that DCE's IP is the one the device is reporting as causing the error? If so, do you have multiple discoveries in DCE with different community names that periodically run? I really can't say. What I can suggest if you need someone to walk you through it is if you call tech support, you can often work with the support people and get a webex going where the reps can actually see your configuration and can more easily understand what's happening. Steve

DCIM_Support · ‎2020-07-03

Oh yeah, I understand it. Even if I create a community string which will be match with scan setting there is other couple of string which fails during the attempt. For permanent solution I can see only the event disable. How can I do that from DCE? I select APC SNMP Device Configuration from Device menu and retrive on device configuration and select another one the following possibilities are available:

24-06-2016 16-53-00.png

DCIM_Support · ‎2020-07-03

We have this same issue. Our network team uses a software with the correct SNMP strings however the APC devices spew 'Unauthorized User' emails. After trying to figure out why, I just resorted to turning them off. The problem with that is new devices added by the IT department... they don't always push the template to the device and then my inbox gets filled up. You also can not easily update the template which leads me to create multiple templates for one device. You can only edit a setting set in the template, any new changes require a new template. Great idea, rough execution. I would still prefer the templates though.

DCIM_Support · ‎2020-07-03

Hi Mate,

Editing events in DCE is not always that easy. I suggest manually editing one device using it's UI as noted above. When you do this, make note of the event number. For this one, I noted the following:

Detected an unauthorized user attempting to access the Control Console interface.[0x0005]

Once you've done that, go to APC SNMP device configuration.

Choose standard device configuration settings.

Choose configure devices or create a template.

Find the device you've just configured, select it and choose retrieve device settings.

Choose your destination devices.

Next, make sure all settings are unchecked. To be sure, maybe even select all and unselect all.

Click the > next to advanced settings, then the > next to event action config

You should see the events with the codes (not names) but since you noted the code when configuring it, this should not be an issue:

Select the proper event (E0005 in this case) and hit next.

At this point, either save the template or configure the devices.

Steve

DCIM_Support · ‎2020-07-03

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.