HPE 9000 and HPE e3000 Servers
cancel
Showing results for 
Search instead for 
Did you mean: 

Removing SNMP from GSP

 
SOLVED
Go to solution
Mark Parsons
Valued Contributor

Removing SNMP from GSP

Hi,

 

I have been asked to check and remove if necessary SNMP from our gsp connections. I have five types of servers - rp3440, rp5470, rp4410, rp7410 and rp5450.

 

How do I check? I believe that you can't actually check on some of them. I also believe that the firmware on some of them is B.02.20 and that B.02.21 is now available that might give the SNMP option?

 

Any advice gratefully accepted.

 

Kind Regards,

 

Mark P.

 

 

P.S. This thread has been moevd from HP-UX > System Administration to Servers > HP 9000 - HP Forums moderator

4 REPLIES 4
Highlighted
Patrick Wallek
Honored Contributor

Re: Removing SNMP from GSP

You are correct.  On osme there is no option to turn off SNMP.  On others there is.  SNMP configuration is done via the 'SNMP' command in the GSP.

 

If there is an option to disable it, it should be there.

 

I just checked an rp4440 and an rp5470 and they both have the option to disable.

 

The rp5470 is on B.02.21 and the rp4440 is on B.03.32 of GSP firmware.

Bill Hassell
Honored Contributor

Re: Removing SNMP from GSP

This is a common problem with console interfaces (GSP, MP, iLO, etc). The code that runs the console is not HP-UX, it is a very small block of instructions that are stored on the processor or GSP card.  As such, the code is seldom changed except for functional issues.

 

So the fix is easy but often overlooked. The console ports for *ALL* machines (servers, network devices, firewalls, etc) should be on a separate, unrouted subnet. Aside from being very difficult or impossible to change security features such as ssh, html, SNMP, etc, these consoles have very primitive security. They typically have no password aging, no password rules, and can be reset to a well-known value by pushing a button. And even more serious: these consoles have direct access to power controls and hard reset, a big problem with denial of service.

 

This diagnostic subnet must be isolated with no routers. The only access possible would be through a secure machine with a connection to the subnet and the other to subnets where the sysadmins are located. This machine would have the highest level of access controls and only authorized sysadmins would be able to login, then connect to the consoles on the diagnostic LAN.

 

And the good news is that auditors can't scan this network as it is isolated. So any vulnerabilities in the console code are not exposed. This includes old releases of web servers, JavaJunk, SNMP, all commonly found in console LAN connections.



Bill Hassell, sysadmin
Mark Parsons
Valued Contributor

Re: Removing SNMP from GSP

Thanks for that everybody.

 

To confirm our rp3440, rp4410 and rp7410 servers have an mp connection as follows:

 

                       MP ACCESS IS NOT SECURE   Default MP users are currently configured and remote access is enabled.   Modify default users passwords or delete default users (see UC command)                                     OR             Disable all types of remote access (see SA command)  *************************************************************************

 *************************************************************************                            Your Certificate is expired.                Use the SO command to generate a new certificate.  *************************************************************************

   MP MAIN MENU:

         CO: Console         VFP: Virtual Front Panel          CM: Command Menu          CL: Console Log          SL: Show Event Logs          HE: Main Help Menu           X: Exit Connection

 

Can you disable snmp from here and if so how?

 

Our rp54xx servers have a gsp connection:

 

GSP> he

HE ==== GSP Help ============================================(Administrator)===       Hardware Revision N0  Firmware Revision B.02.20 Apr 14 2003,11:03:46

                        GSP Help System

    Enter a command at the help prompt:            OVerview  : Launch the help overview            LIst      : Show the list of GSP commands            <COMMAND> : Enter the command name for help on individual command            TOPics    : Show all GSP Help topics and commands            HElp      : Display this screen            Q         : Quit help

 

Can you disable snmp from here and if so how? And also do I need to upgrade to B.02.21?

 

Many thanks.

Matti_Kurkela
Honored Contributor
Solution

Re: Removing SNMP from GSP

On a MP, you should first type "CM<enter>" to access the Command Menu. It contains more commands you can use to configure the MP. Type "HE LI<enter>" to see a list of available commands.

 

Unless your MP firmware is too old, there should be a "SNMP" command listed.

(Edit: on a rp3440 at least, you need MP firmware version E.03.30 or newer to disable SNMP.)

 

So type "SNMP<enter>", then the MP will display the current SNMP settings and ask if you want to keep them as they are. Type "N<enter>" to change them, then "D<enter>" to disable SNMP.

 

On a GSP, all the commands are available without the Command Menu step, so just type "HE LI<enter>" to view the list of commands. But I think GSPs are so old they did not have any SNMP functionality at all, so there may be nothing to disable??

MK