I need to make sure that our Nexus switches are hardened on the Internet and I'm really bothered that the ACL for SNMP works but leaves the port open. The ACL works in that if I attempt this from a host not allowed in the ACL, the Nexus will not accept the credentials and reset the connection. However, having the port open is an exploitable condition on any system. Because the Nexus is listening on this port, disregarding the ACL in this fashion, it could be exploited by overwhelming the system with too many connection attempts. There are two ways to see that the port is open and the system is responding to the socket:
1. Nmap shows that it is open which means botnets scanning the Internet will find this port open when it shouldn't be.
2. If I telnet to any of the public interface IP's on port 161 I get a prompt. If I sniff the tcp/telnet session I get a syn, syn/ack, ack from the Nexus proving the port is open and responding from an invalid hosts attempting to reach the Nexus on the SNMP port.
What I'd expect is that a SNMP tcp syn is received on any public interface and the Nexus should not respond if it is not a valid IP source in the ACL. Instead, the Nexus is entertaining the prospect of the tcp conversation on the snmp port by responding on the port.
How can I fix this problem to adequately harden this system from SNMP requests attempts?
Setup:
Nexus 9318 running 9.2.1
Simple config:
snmp-server community password1111 group network-operator
snmp-server community password1111 use-ipv4acl SNMP
IP access list SNMP
10 permit udp 10.x.x.0/24 any eq snmp log
20 permit udp 10.y.x.0/24 any eq snmp log
30 deny ip any any log
