Why is Mint trying (and failing) to connect to other devices via SNMP?

[mattlach]

Hey all,

Fairly new install of LMDE on my laptop.

Happened to be looking at the log outputs on my old APC UPS I have attached to my server on the same subnet after some power fluctuations.

In the logs of the unit I find several entries where it states the IP associated with my laptop has made several attempts to connect to the device via SNMP and has failed. Four attempts in a row each time, seemingly at boot time for the laptop.

It seems very fishy to me.

I can't find any references to SNMP or the IP of the APC unit in the laptops system logs.

Anyone know what is going on?

[deepakdeshp]

You can try snmp connect to other devices ,on your localhost and find if it's a problem with SNMP in general or only while connection to the UPS.

[deepakdeshp]

You can try snmp connect to other devices ,on your localhost and find if it's a problem with SNMP in general or only while connection to the UPS.
https://www.google.com/url?sa=t&source= ... 5xqqCWbk6x

[mattlach]

You can try snmp connect to other devices ,on your localhost and find if it's a problem with SNMP in general or only while connection to the UPS.

Maybe I should restate the problem.

I have never accessed the UPS from this laptop over any protocol.

I have never used SNMP on this laptop.

To my knowledge this laptop should never have accessed the IP of the UPS at all.

Yet, I see several failed attempts in the UPS log from this laptop.

A review of DHCP logs shows no other machine has had the IP of this laptop.

They are mystery entries in the log.

I am not trying to troubleshoot why it won't connect. I am trying to figure out how it figured out the IP of the UPS and why it tried to connect to it in the first place.

[smurphos]

Warpinator? By design it checks the local network for other machines running Warpinator at launch. Not sure what the protocol used is though.

[mattlach]

Warpinator? By design it checks the local network for other machines running Warpinator at launch. Not sure what the protocol used is though.

Could be. Either that or someone has snuck something unsavory into the release...

Is there a way to remove/uninstall warpinator?

There is a warpinator package in the repository of my LMDE4 install, but it is not installed?

Code: Select all

$ sudo apt-cache search warpinator
warpinator - Allows simple local network file sharing.
sudo apt remove warpinator
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'warpinator' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Maybe it is only pre-installed on the main Ubuntu based edition?


Edit:

So I was thinking just as a workaround to stop random snmp connections (attacks?) on my network, I'd just remove the snmp packages.

Code: Select all

$ sudo apt list --installed |grep -i snmp

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libsnmp-base/stable,stable,now 5.7.3+dfsg-5+deb10u1 all [installed]
libsnmp30/stable,now 5.7.3+dfsg-5+deb10u1 amd64 [installed]
matt@e6430s ~ $ sudo apt remove libsnmp-base libsnmp30
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  colord hplip libhpmud0 libsane libsane-hpaio libsnmp-base libsnmp30 printer-driver-hpcups printer-driver-hpijs sane-utils simple-scan
0 upgraded, 0 newly installed, 11 to remove and 0 not upgraded.
After this operation, 30.3 MB disk space will be freed.
Do you want to continue? [Y/n]

Not quite sure I feel like removing hplip in the process, or I won't be able to print...

Maybe hplip uses SNMP to probe for printers?

Ugh, I hate software that ever tries to autodetect anything on the network.

I want my machine to never access anything on the network, local or remote, unless I EXPLICITLY tell it to.

Except for maybe DHCP, but even then I prefer manually set IP's.

[mattlach]

Warpinator? By design it checks the local network for other machines running Warpinator at launch. Not sure what the protocol used is though.

Could be. Either that or someone has snuck something unsavory into the release...

Is there a way to remove/uninstall warpinator?

There is a warpinator package in the repository of my LMDE4 install, but it is not installed?

Code: Select all

$ sudo apt-cache search warpinator
warpinator - Allows simple local network file sharing.
sudo apt remove warpinator
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'warpinator' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Maybe it is only pre-installed on the main Ubuntu based edition?


Edit:

So I was thinking just as a workaround to stop random snmp connections (attacks?) on my network, I'd just remove the snmp packages.

Code: Select all

$ sudo apt list --installed |grep -i snmp

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libsnmp-base/stable,stable,now 5.7.3+dfsg-5+deb10u1 all [installed]
libsnmp30/stable,now 5.7.3+dfsg-5+deb10u1 amd64 [installed]
matt@e6430s ~ $ sudo apt remove libsnmp-base libsnmp30
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  colord hplip libhpmud0 libsane libsane-hpaio libsnmp-base libsnmp30 printer-driver-hpcups printer-driver-hpijs sane-utils simple-scan
0 upgraded, 0 newly installed, 11 to remove and 0 not upgraded.
After this operation, 30.3 MB disk space will be freed.
Do you want to continue? [Y/n]

Not quite sure I feel like removing hplip in the process, or I won't be able to print...

Maybe hplip uses SNMP to probe for printers?

Ugh, I hate software that ever tries to autodetect anything on the network.

I want my machine to never access anything on the network, local or remote, unless I EXPLICITLY tell it to.

Except for maybe DHCP, but even then I prefer manually set IP's.

[smurphos]

If warpinator's not installed it not that.

HPLIP scanning for networked printers could make sense.

[AndyMH]

HPLIP scanning for networked printers could make sense.

Would CUPS-browsed be doing the same?

[bledd]

Just had the same issue. Fresh Mint install was setting off UPS unauthorized access attempts.

"Informational Events - System: Detected an unauthorized user attempting to access the SNMP interface from IPADDRESS"

Looks like CUPS was causing it.

Found this info from another source online..



"Configs in /etc/sane.d/ was a problem for me.
kodakaio.conf and magicolor.conf has an option net autodiscovery. Comment it out and no more SNMP requests."

This fixed the problem.

Seems crazy that something would spam out SNMP like that.

[mattlach]

Good information, thank you!