Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84426members
353618posts

Detected an unauthorized user attempting to access the SNMP interface

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

Solved
BillP
Administrator Administrator
Administrator
0 Likes
9
827

Detected an unauthorized user attempting to access the SNMP interface

This question was originally posted by Adam on APC forums on 11/16/2016


I have a Smart-UPS 2200 which is sending me email notifications about an unauthorized user attempting to access the SNMP interface.  Over the past 12 hours 6199 such emails.  Now I have SNMP Trap receivers configured, and the IP address in question is NOT one of those.  I have two configured.  I am getting this error from my Domain Controller which does NOT have SNMP installed and configured.  Under the DC service settings SNMP Trap is disabled and set to manual.  Under Roles, it is not installed.  I have tried Reset/Reboot Reboot Management Interface, with no success errors still being sent.  I have currently Disabled the email notifications but the logs continue to grow. Any help would be appreciated Thank you! The settings for the UPS under Admin - General - About:

Hardware Factory

Model Number: AP9630
Serial Number: ZA1227004500
Hardware Revision: 05
Manufacture Date: 06/25/2012
MAC Address: 00 C0 B7 96 17 18
Management Uptime:

0 Days 0 Hours 39 Minutes

Application Module

Name: sumx
Version: v5.1.7
Date: Dec 1 2011
Time: 13:01:45

APC OS (AOS)

Name: aos
Version: v5.1.7
Date: Nov 22 2011
Time: 09:53:57

APC Boot Monitor

Name: bootmon
Version: v1.0.2
Date: Jan 21 2010
Time: 13:35:57

Accepted Solutions
BillP
Administrator Administrator
Administrator
0 Likes
0
826

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/18/2016


Just  to  share  what  the  issue  ended  up  being,  to  maybe  help  others.  The  DC  spoolsv.exe  was  the  issue.  The  ip  of  the  UPS  was  in  the  range  of  printers  the  DC  searches  for.  Even  though  no  printer  was  set  up  on  the  IP  the  DC  was  still  trying  to  find  one.  Thank  you  Angela  for  your  assistance!

See Answer In Context

9 Replies 9
BillP
Administrator Administrator
Administrator
0 Likes
0
826

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Angela on APC forums on 11/16/2016


Hi Adam,

Your firmware is a little old as we are several revisions ahead and on to v6.X.X which is a major upgrade from the 5.1.7 you are running. I do not think it is related to the problem but I did want to mention it in case you weren't aware.

With what I know, I also believe that there is something coming from your domain controller that is triggering this and it is not an issue the card is generating the alarms erroneously. There is likely is something trying to do SNMP polling or SNMP something over ports 161/162 versus anything to do with SNMP traps (alerts) which you already checked. Is there potentially some type of SNMP scanner software installed, as opposed to a service running on Windows? Or perhaps any type of penetration scanner like Nessus, Retina, etc that runs on an entire network or subnet that could be probing the IP address of the NMC?

I can tell you at least with this firmware, we know it is SNMPv1 since in this older firmware, SNMPv3 does not trigger these messages (which we fixed that in newer firmware).

Lastly, SNMPv1 is enabled by default. You could check your SNMP settings under Administration->Network menu and adjust the community names and NMS/IP hostname fields to try and filter out any requests outside of the SNMP systems you do actively use. Do you use SNMP polling or just traps/alerts? You could potentially disable some of the SNMP settings as well to just allow SNMP traps.

BillP
Administrator Administrator
Administrator
0 Likes
0
828

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/16/2016


Thank you for trying to help me fix this!  I have done the firmware update, and as soon as I activate SNMPv1 with the two severs which have SNMP .30 and .159 I get the error back from the DC which is .96  not on the list for SNMP at all.  If I change it from SNMPv1 to the v3 I no longer get the error.  I have double checked the DC .96 for any and all SNMP setting all are off.

BillP
Administrator Administrator
Administrator
0 Likes
0
828

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/16/2016


I have even added the .96 address into the allow config as read and am still getting the detection

BillP
Administrator Administrator
Administrator
0 Likes
0
828

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/16/2016


So I have gone back to the DC the SNMP was set to manual, I have completely set it to disable, still have the error.  Attached is the .tar file.  Any and all help is greatly appreciated.  Other than providing the unit with the IP I have no clue what else would be trying to communicate with it from the DC.

BillP
Administrator Administrator
Administrator
0 Likes
0
828

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/17/2016


As  of  this  morning,  I  added  a  rule  on  the  DC  to  block  port  161,  and  now  I  no  longer  receive  the  unauthorised  attempt  log.   However,  I  still  cannot  figure  out  why  this  worked,  or  what  was  looking  on  port  161.

BillP
Administrator Administrator
Administrator
0 Likes
0
828

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Angela on APC forums on 11/17/2016


Hi Adam - I see in your config.ini that there are IPs set up in the SNMP polling configuration - some 192.168.X.X IPs - do you know what these are? I ask because what I was suggesting would probably not work if you were actively using those because you have to leave those configs enabled to let those devices do SNMP polling.

Anyway, yes, it seems to prove that there is something on your DC that is sending out the requests. Do you have other NMCs on the same network that did NOT show the alarm? Just curious if you could see if there was a security scanner or tool hitting everything on your network trying to do SNMP requests. We have customers that run tools like I mentioned previously that do penetration or intrusion detection type stuff.

If it were me, I would just comb through all running services/programs and see what is there. If you have done all of that, it just seems like there is something that is not obvious or that maybe could be running under another user or something weird like that?

BillP
Administrator Administrator
Administrator
0 Likes
0
827

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/17/2016


Yes  the  two  192.168.X.X  I  know  what  those  are,  Spiceworks  and  Librenms.   I  ran  a  packet  tracker  on  the  DC  which  is  how  I  found  port  161  was  being  used  to  the  unit.   After  blocking  the  port  the  issue  is  gone.   Now  I  need  to  figure  out  what  was  causing  the  DC  to  look  to  the  unit  through  port  161.  At  this  time  I  believe  the  issue  is   on  the  DC  side  not  the  UPS  side.  A  fun  note  I  was  just  told  about  today,  my  boss  changed  the  UPS  IP  address  before  this  issue  started.  Not  sure  how  or  why  that  would  matter  but  fun  cause.

BillP
Administrator Administrator
Administrator
0 Likes
0
827

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Adam on APC forums on 11/18/2016


Just  to  share  what  the  issue  ended  up  being,  to  maybe  help  others.  The  DC  spoolsv.exe  was  the  issue.  The  ip  of  the  UPS  was  in  the  range  of  printers  the  DC  searches  for.  Even  though  no  printer  was  set  up  on  the  IP  the  DC  was  still  trying  to  find  one.  Thank  you  Angela  for  your  assistance!

BillP
Administrator Administrator
Administrator
0 Likes
0
827

Re: Detected an unauthorized user attempting to access the SNMP interface

This reply was originally posted by Angela on APC forums on 11/18/2016


Hi Adam - thanks for the update and letting me/us know what you found. Have a great weekend!