<div dir="auto">Guys,<div dir="auto"><br></div><div dir="auto">Disabling Cisco smart install has been recommend by Cisco as part of their hardening for a long time. (<span style="font-family:sans-serif"><a href="Https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html">Https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html</a>)</span></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif">It's just like turning off telnet and open RW snmp. And limiting access to the management IPs.</font></div><div dir="auto"><font face="sans-serif"><br></font></div><div dir="auto"><font face="sans-serif">I would highly suggest you also sigh up for the Cisco critical vulnerability notifications. It's a goldmine of stuff to patch.</font></div><div dir="auto"><font face="sans-serif"><br></font><div data-smartmail="gmail_signature" dir="auto">Laurence<br>-Sent from a small screen with an imagery keyboard.</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, May 8, 2018, 23:56 Mark Foster, <<a href="mailto:blakjak@blakjak.net">blakjak@blakjak.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-AU" link="#0563C1" vlink="#954F72">You don't specifically mention <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi" target="_blank" rel="noreferrer">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi</a> which I assume you're aware of?<br><br><div class="gmail_quote">On 9 May 2018 4:21:20 PM NZST, "Michael J. Carmody" <<a href="mailto:michael@opusv.com.au" target="_blank" rel="noreferrer">michael@opusv.com.au</a>> wrote:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="m_-6384869392688719452WordSection1">
<p class="MsoNormal">Hey All,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Just a feeler to see if anyone else is seeing this.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We have some Cisco switches we use as Layer 2/3 NTU’s to talk to client equipment on the far ends of fibre links.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">As of yesterday morning, all of these switches started a roughly 1-2 hour reboot outage.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">All smartnet’ed, running latest recommended stable from cisco, and nothing in the logs other than a hard reset just occurred.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We have been additionally hardening the exposure of various interfaces (attacks were captured coming from resi ISP looking .mx domains), and it appears the one that has stopped the rot is disabling the “Smart Install” feature with a “no
vstack” command, reload config from out config store and back to work…<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">TBH I didn’t even know this protocol existed… a non-authenticated, on by default protocol that allows you to configure and image deploy on network equipment.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Like, its our own fault, but what the hell is this doing on by default?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Anyone else with Cisco or “Smart Install” equipment seeing an uptick in scanning/poking activity?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-Michael Carmody<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">(Ref: <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi" target="_blank" rel="noreferrer">
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi</a> )<u></u><u></u></p>
</div>
</blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</div>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank" rel="noreferrer">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>