NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disabling switch uPNP/SSDP service
Trying to lock down an M4300. With the latest firmware I see SSDP (uPnP) notfiies
coming out of the oob interface, which has been set up as the management interface,
along with an open http uPnP profile server on port 38871.
Grepped the cli and user manuals for anything related to uPnP or SSDP... nothing.
So either this service is out of my control, or they named it something weird and managed
to avoid using the words uPnP or SSDP in any of their descriptions of the service.
Would like to not have to resort to setting up port ACLs for what should be a pretty vanilla
management port.
Anyone know how to turn this off? BTW, any community hardening guides kicking about around here?
4 Replies
Hi skids
Welcome to Community!
Yes, UPnP and Bonjour is new feature, there is no related description on old User Manual. You can check on the latest User Manual, please click here (page19: Use UPnP or Bonjour to Find the Switch).
And for UPnP, it not support disable, for Bonjour, it support disable by manual.
Hope it helps!
Regards,
EricZ
I actually did manage to turn it off. Apparently it can be disabled (perhaps when you disable bonjour) but it
does not actually disabled until after a switch reboot.
uPnP and bonjour are not the same thing so they should probably be controlled by different commands, but
whatever... when these switches are used in server rooms we need to remove all unecessary services for
security purposes so enabling a new service by default in an upgrade is something which should carry a caveat
in the release notes.
Update on this: I suspect the change which turned off the broadcasts was instead when we
removed the VLAN1 routing interface from the VLAN database. After this, we get periodic log
messages because the uPnP service is running but cannot open an IP interface:
<15>1 1969-12-31T19:03:06.058-5:00Z HVMGMT-1 OpEN tRpcsrv.01000 - :openapi_loggi
ng.c(1294) 489 %% discAgent: Failed to get router interface of Mgmt Vlan Id 1I tried creating a dead-end VLAN which does not exist on any port, gave it
a static nonsense IP address, left the routing interface active on it, and set the management
VLAN to that. Then I set the management source-interface back to the serviceport.
However, even after a reboot the uPNP daemon still complained about "management Vlan Id 1"
in the log.
Looks like we'll just have to live with those log messages. Hopefully the uPnP daemon (and
the rest of the daemons that are running even though their service is disabled) do not slowly
leak RAM and cause an issue later.
It's getting harder and harder these days to get a switch to be a simple L2 switch :-)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
