- Community Home
- >
- Servers and Operating Systems
- >
- Legacy
- >
- HPE 9000 and HPE e3000 Servers
- >
- Re: Removing SNMP from GSP
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2013 09:17 AM - last edited on 04-22-2013 07:03 PM by Maiko-I
04-22-2013 09:17 AM - last edited on 04-22-2013 07:03 PM by Maiko-I
Hi,
I have been asked to check and remove if necessary SNMP from our gsp connections. I have five types of servers - rp3440, rp5470, rp4410, rp7410 and rp5450.
How do I check? I believe that you can't actually check on some of them. I also believe that the firmware on some of them is B.02.20 and that B.02.21 is now available that might give the SNMP option?
Any advice gratefully accepted.
Kind Regards,
Mark P.
P.S. This thread has been moevd from HP-UX > System Administration to Servers > HP 9000 - HP Forums moderator
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2013 09:35 AM
04-22-2013 09:35 AM
Re: Removing SNMP from GSP
You are correct. On osme there is no option to turn off SNMP. On others there is. SNMP configuration is done via the 'SNMP' command in the GSP.
If there is an option to disable it, it should be there.
I just checked an rp4440 and an rp5470 and they both have the option to disable.
The rp5470 is on B.02.21 and the rp4440 is on B.03.32 of GSP firmware.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2013 07:26 PM - edited 04-22-2013 07:29 PM
04-22-2013 07:26 PM - edited 04-22-2013 07:29 PM
Re: Removing SNMP from GSP
This is a common problem with console interfaces (GSP, MP, iLO, etc). The code that runs the console is not HP-UX, it is a very small block of instructions that are stored on the processor or GSP card. As such, the code is seldom changed except for functional issues.
So the fix is easy but often overlooked. The console ports for *ALL* machines (servers, network devices, firewalls, etc) should be on a separate, unrouted subnet. Aside from being very difficult or impossible to change security features such as ssh, html, SNMP, etc, these consoles have very primitive security. They typically have no password aging, no password rules, and can be reset to a well-known value by pushing a button. And even more serious: these consoles have direct access to power controls and hard reset, a big problem with denial of service.
This diagnostic subnet must be isolated with no routers. The only access possible would be through a secure machine with a connection to the subnet and the other to subnets where the sysadmins are located. This machine would have the highest level of access controls and only authorized sysadmins would be able to login, then connect to the consoles on the diagnostic LAN.
And the good news is that auditors can't scan this network as it is isolated. So any vulnerabilities in the console code are not exposed. This includes old releases of web servers, JavaJunk, SNMP, all commonly found in console LAN connections.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2013 04:50 AM
04-23-2013 04:50 AM
Re: Removing SNMP from GSP
Thanks for that everybody.
To confirm our rp3440, rp4410 and rp7410 servers have an mp connection as follows:
MP ACCESS IS NOT SECURE Default MP users are currently configured and remote access is enabled. Modify default users passwords or delete default users (see UC command) OR Disable all types of remote access (see SA command) *************************************************************************
************************************************************************* Your Certificate is expired. Use the SO command to generate a new certificate. *************************************************************************
MP MAIN MENU:
CO: Console VFP: Virtual Front Panel CM: Command Menu CL: Console Log SL: Show Event Logs HE: Main Help Menu X: Exit Connection
Can you disable snmp from here and if so how?
Our rp54xx servers have a gsp connection:
GSP> he
HE ==== GSP Help ============================================(Administrator)=== Hardware Revision N0 Firmware Revision B.02.20 Apr 14 2003,11:03:46
GSP Help System
Enter a command at the help prompt: OVerview : Launch the help overview LIst : Show the list of GSP commands <COMMAND> : Enter the command name for help on individual command TOPics : Show all GSP Help topics and commands HElp : Display this screen Q : Quit help
Can you disable snmp from here and if so how? And also do I need to upgrade to B.02.21?
Many thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2013 06:12 AM - edited 04-23-2013 06:19 AM
04-23-2013 06:12 AM - edited 04-23-2013 06:19 AM
SolutionOn a MP, you should first type "CM<enter>" to access the Command Menu. It contains more commands you can use to configure the MP. Type "HE LI<enter>" to see a list of available commands.
Unless your MP firmware is too old, there should be a "SNMP" command listed.
(Edit: on a rp3440 at least, you need MP firmware version E.03.30 or newer to disable SNMP.)
So type "SNMP<enter>", then the MP will display the current SNMP settings and ask if you want to keep them as they are. Type "N<enter>" to change them, then "D<enter>" to disable SNMP.
On a GSP, all the commands are available without the Command Menu step, so just type "HE LI<enter>" to view the list of commands. But I think GSPs are so old they did not have any SNMP functionality at all, so there may be nothing to disable??