Could someone explain why SNMP is gone

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
mistergefahrensucher
DD-WRT Novice


Joined: 04 Jun 2018
Posts: 6
Location: Hannover

PostPosted: Thu Jun 06, 2019 16:03    Post subject: Could someone explain why SNMP is gone Reply with quote
i have seen in Changeset 39154
"without openssl, we wont add snmp anymore"
For me it makes no sense because why is snmp depending from openssl.
In my case i have no chance to monitor my router anymore.
Sponsor
msoengineer
DD-WRT User


Joined: 21 Jan 2017
Posts: 437
Location: Illinois

PostPosted: Thu Jun 06, 2019 20:21    Post subject: Reply with quote
This is why.

https://www.techrepublic.com/article/lock-it-down-dont-allow-snmp-to-compromise-network-security/

"SNMP provides an easy way for administrators to get topology information about their networks and even provides some management of remote devices and servers. However, you have to be very careful that you correctly block SNMP traffic at your firewall; otherwise, hackers can also use it to gather that valuable network information and exploit vulnerabilities."

_________________
[r9000] running BS 40672
[EA8500] running Kong 40270M
[R7800] KONG PRO [taking a nap...no qam256...]
[WDR3600] BS 36808


TIPS-A MUST READ:

Best QCA Wifi settings to use|Latency tricks|QoS Port priority

Why to NOT use MU-MIMO||Max Wifi Pwr by Country||MCS Index Speeds||Correct QCA 5Ghz chnls to use||WIFI Chnl Freq WIKI
msoengineer
DD-WRT User


Joined: 21 Jan 2017
Posts: 437
Location: Illinois

PostPosted: Thu Jun 06, 2019 20:41    Post subject: Reply with quote
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1162440#1162440
_________________
[r9000] running BS 40672
[EA8500] running Kong 40270M
[R7800] KONG PRO [taking a nap...no qam256...]
[WDR3600] BS 36808


TIPS-A MUST READ:

Best QCA Wifi settings to use|Latency tricks|QoS Port priority

Why to NOT use MU-MIMO||Max Wifi Pwr by Country||MCS Index Speeds||Correct QCA 5Ghz chnls to use||WIFI Chnl Freq WIKI
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sat Jun 08, 2019 1:11    Post subject: Reply with quote
msoengineer wrote:
This is why.

https://www.techrepublic.com/article/lock-it-down-dont-allow-snmp-to-compromise-network-security/

"SNMP provides an easy way for administrators to get topology information about their networks and even provides some management of remote devices and servers. However, you have to be very careful that you correctly block SNMP traffic at your firewall; otherwise, hackers can also use it to gather that valuable network information and exploit vulnerabilities."


I'm not sure I can see how this is any different from blocking SSH, Telnet, and even http/https from the WAN? This is basic SOP stuff, right? If you don't know how to make sure this stuff is blocked on the WAN, you probably shouldn't be using dd-wrt in the first place... just my 2 cents..
msoengineer
DD-WRT User


Joined: 21 Jan 2017
Posts: 437
Location: Illinois

PostPosted: Sat Jun 08, 2019 1:32    Post subject: WHY IS SNMP GONE ON MANY ROUTERS Reply with quote
OK lazy people, I know reading is too hard...but read this and be done...

If your router is older and has 8mb flash (also affects many 16mb flash size routers too), there's not enough room to include openssl in the code. As such, you won't be able to have secure access to SNMP; so BS removed SNMP to keep you guys using low flash size routers safe.

There. clear as mud...

_________________
[r9000] running BS 40672
[EA8500] running Kong 40270M
[R7800] KONG PRO [taking a nap...no qam256...]
[WDR3600] BS 36808


TIPS-A MUST READ:

Best QCA Wifi settings to use|Latency tricks|QoS Port priority

Why to NOT use MU-MIMO||Max Wifi Pwr by Country||MCS Index Speeds||Correct QCA 5Ghz chnls to use||WIFI Chnl Freq WIKI
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat Jun 08, 2019 2:20    Post subject: Reply with quote
Hmmm, it wasn't possible to simply block those ports from being accessible over the internet?

Regardless, I suppose there's always Entware if you really want it back.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
mistergefahrensucher
DD-WRT Novice


Joined: 04 Jun 2018
Posts: 6
Location: Hannover

PostPosted: Sat Jun 08, 2019 12:02    Post subject: Reply with quote
msoengineer wrote:
This is why.

https://www.techrepublic.com/article/lock-it-down-dont-allow-snmp-to-compromise-network-security/

"SNMP provides an easy way for administrators to get topology information about their networks and even provides some management of remote devices and servers. However, you have to be very careful that you correctly block SNMP traffic at your firewall; otherwise, hackers can also use it to gather that valuable network information and exploit vulnerabilities."


Not really logical for me. If you know what you doing and in secure enviroments it is possible to use SNMP without any risk. If SNMP inside the firmware i can decide to enable it or not. At the moment i have no chance anymore to monitor the traffic or cpu or memory. For me there are other things i can renounce.
Like the hole Hotspot Portal stuff. But anyway.
CarnegieJ
DD-WRT Novice


Joined: 13 Jun 2016
Posts: 3

PostPosted: Sat Jun 15, 2019 22:24    Post subject: Reply with quote
mistergefahrensucher wrote:
Not really logical for me. If you know what you doing and in secure enviroments it is possible to use SNMP without any risk. If SNMP inside the firmware i can decide to enable it or not. At the moment i have no chance anymore to monitor the traffic or cpu or memory. For me there are other things i can renounce.
Like the hole Hotspot Portal stuff. But anyway.


Cool++1, for moving the capture web portal code in DD-WRT to outside the "standard" release channel. This may create additional space (i.e. 8mb flash routers) for secure admin features like SNMP over SSL. In summary, serious minded network folks need the SNMP option to manage/monitor our network service.

_________________
Atheros
TP-Link TL-WDR4300v1 ----- DD-WRT 39956 BS (NAT, AD Blocking, Firewall, Forced DNS, Wi-Fi OFF)
Ralink/RT2880
AirLink101 150N (AR670W) --DD-WRT ??? BS (AP,NAT,Firewall)
mistergefahrensucher
DD-WRT Novice


Joined: 04 Jun 2018
Posts: 6
Location: Hannover

PostPosted: Mon Jun 17, 2019 7:44    Post subject: Thanks i see i am not alone Reply with quote
For now i desided to downgrade to : DD-WRT v3.0-r39137 std (03/10/19) an will stay there because this is the last release with snmp inside. My devices have no connection to the internet i use them only as AP.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum