Disable SNMP Printer Scanning in Ubuntu Intrepid

published on Wed, 11/05/2008 - 10:35

After installing Ubuntu Intrepid on my laptop, I got a nastygram from IT saying that my laptop was tripping alerts from their NIDS.  They could tell me that it was an outbound SNMP request, but they couldn't supply the OID or anything.  Setting aside the fact that the NIDS should be configured to disregard SNMP requests for this particular OID, I set forth to try and figure out what the heck was causing the traffic.

After much tcpdumping, I finally found the OID: 1.3.6.1.2.1.25.3.2.1.3.1.  Googling told me that this OID corresponds to a printer name.  At this point, I knew that it was coming from CUPS.  Now, one would think that there is a simple on/off switch in CUPS that you could use to disable SNMP scanning.  Nope!  You can remove the snmp binary from the CUPS distribution, but the next time CUPS is installed/upgraded, you'll be in the same boat.

On a hunch, I edited /etc/cups/snmp.conf to look like so:

#Address @LOCAL
Address 127.0.0.1

Lo and behold, it worked!  Instead of disabling SNMP scanning, I told CUPS to only scan the localhost IP instead of the entire local LAN subnet.  After applying this change and restarting CUPS, I checked with IT.  The NIDS alerts had indeed stopped generating alerts!

Notes

It turns out the snmp auto-detection stuff had been removed from previous versions of Ubuntu.  After much bemoaning from users, the package maintainers put it back in place.  This is why I have the issue on Intrepid and not on previous versions.

I don't really know what the optimal solution is here.  The fact that my laptop was broadcasting SNMP requests to the entire corporate subnet is a little disturbing, if harmless.  However I see where it would be nice to have in a SOHO environment.  I personally would prefer a "disabled by default" approach with a very simple checkbox mechanism to enable it, but I'm certainly biased.

Anyways, hope this helps some people out there. When I ran into this issue, Google didn't have any help for me.

Comments

Submitted by Matt Simmons (not verified) on Wed, 11/05/2008 - 12:35

Good sleuthing, gumshoe!

Odd that they added it back without much (any?) notification. I can see where it would increase usability for the Linux user, but yea, for the admin who deals with the network it would be a headscratcher

Submitted by Anonymous (not verified) on Thu, 08/26/2010 - 08:28

Very hopefull!

Thank you.

Submitted by dstanley (not verified) on Thu, 11/13/2008 - 18:09

Thanks. Very helpful!

Submitted by Martin (not verified) on Thu, 01/22/2009 - 04:25

Hi Justin.

Thanks a lot for your post here! We got *exactly* the same situation here. Just a few minutes ago, my IT department called me that they are flooded with SNMP requests... *outch*

Thanks to your article, we could resolve the issue.

Really strange that it is configured by default that way...

Cheers,
Martin.

Submitted by Mike (not verified) on Thu, 01/22/2009 - 08:19

I popped an Ubuntu laptop on my corporate LAN yesterday to test some stuff out (I'm a LAN admin and we're making the move to SLES + OES2, being a Novell shop). My laptop was setting off an SNMP trap on a UPS in our server room and all day I was scratching my head as to what would be causing it.

Thanks to this article, I was able to disable it and stop causing my co-workers grief. :-)

Submitted by raspark (not verified) on Wed, 02/25/2009 - 21:44

Just tonight I got the nastygram about using SNMP and/or CUPS on the LAN. I have Ubuntu installed in a VM on my Win box. I have just applied your fix, hopefully my LAN guys will accept this now.

Thanks for the workaround. It came in very handy for me!

Submitted by MadMike (not verified) on Tue, 03/03/2009 - 03:21

I got my port locked at our Cisco-Switch a number of times before I found out why this happend: It's, of course, the SNMP-Backend from CUPS.
But looking at the Cisco-Log it wasn't due to the SNMP-Request itself, it was the Printers wanting to know my IP-Address after they received the SNMP-Broadcast. This spurred enough ARP-Messages in such a short from my Computer to trip the ARP-Warning which led then to disabling my port on the switch.

At first I had deleted /usr/lib/cups/backend/snmp to disable it, but with the next CUPS package-update it was reinstalled and I tripped the ARP-Alert again :)

Thanks for your advice how to disable it permanently.

Submitted by Jeff Leshin (not verified) on Wed, 03/18/2009 - 11:05

Many thanks for analyzing this problem.
At my company some developers are trying out ubuntu running in a virtual machine as a development environment on our MS OS laptops.

About a half hour after I configured the VM network adapter on my laptop to use the host network adapter I had a security guy and an infrastructure guy standing at my desk. It was very collegial and all, but embarrassing.

But let's face it - this looks like a possible hostile probe of the network and that means they have to take time to check it out.

But imagine this scenario: this is a large company and if we started a pilot roll-out of linux on the desktop, and then there was an unexpected change of this kind we could really have a chaotic situation and waste a lot of IT time. And give linux a bad name with management.

I vote for disabling.

By the way, does anyone know what happens when you plug a mac into a corporate network? This is not the first line of a joke....

Submitted by Anonymous (not verified) on Thu, 06/04/2009 - 01:38

"By the way, does anyone know what happens when you plug a mac into a corporate network? This is not the first line of a joke...."

Tried the /etc/cups/snmp.conf disabling trick on a MAC to no avail!

Any MAC People out there that do know?

BTW: I disable the port a MAC starts spraying the network with SNMP requests, so this is not for me but for the port MAC users

Submitted by Justin Ellison on Wed, 03/18/2009 - 14:43

Just to let everyone know - I have filed a bug in Launchpad to have this set by default in future releases. You can view it at https://bugs.launchpad.net/bugs/345015

Submitted by Anonymous (not verified) on Mon, 09/07/2009 - 11:56

Hi Justin,

same story here: Mail from IT department and searching, searching ...

But of course: CUPS is an Apple product, so it's user friendly
and finds all the printers for the user - it's all so simple ;-/

Thanks*

Greetings,
Andreas

Submitted by Anonymous (not verified) on Mon, 07/05/2010 - 04:44

Just had this problem staring up a VM for testing.  All the UPS's in the Datacenter were sending out alerts for unauthorized attempts to access SNMP.  Your post helped a lot.  I see it worked for everyone else but still weary of starting up the VM again in case that isn't the fix in 10.40.  Also my main machine is the same version but i have cups disabled which seems to do the trick as well.

Submitted by Anonymous (not verified) on Fri, 07/30/2010 - 16:44

I have 10.04 and sure enough I just about repeated Jeff Leshin's experience posted above word for word.

So frustrating and embarrassing.

Submitted by guest (not verified) on Fri, 07/01/2011 - 03:33

thanx much - my IT also complained about that, now it's solved! :-)

Add new comment

Subscribe to SysAdmin's Journey RSS