Solved

solaris 10 constant activity

Posted on 2013-05-18
12
363 Views
Last Modified: 2013-05-22
I have a sun blade 2500 machine running Solaris 10. recently I have noticed that there is always about 25 to 30 % of cpu activity and disk access. This was not the case before for sure for years.

I ran top and see that snmpd process always using about 25-30% of cpu and its status changes between sleep/run/cpu1.

The change that I did recently (and I noticed this issue after) was changing a hard drive on the machine. The hard drive had data only and OS hard drive did not change.

Every thing seems to be working fine, however, this change bothers me and I don't know if some set up went incorrect since I did not used to see this before.

What is the use of snmpd? What happens if I become root and kill this process?

This constant activity on machine is becoming annoying. Any idea how to stop this activity as I am sure it was not there before.
0
Comment
Question by:faridsaleh
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 39178644
If you aren't using SNMP, killing the process should not have a harmful effect. But, the extra activity of snmpd could be a sign of some underlying problem. Determining why snmpd is doing this would be the best approach.
0
 

Author Comment

by:faridsaleh
ID: 39179311
Could you please describe to me what is the SNMP. I read about it on the web but all descriptions was not clear to me. I felt I need more back ground ti understand this. I am just an application user of the Unix environment with limited sysadmin knowledge to just get my machines running at minimum requirement.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 39179365
SNMP is a monitoring and reporting system for the hardware and OS. Excessive cpu use by snmpd could be a sign that it is seeing aberrant behavior of something. The first action should be to look through the system logs for warnings or odd behavior/activity.
0
 

Author Comment

by:faridsaleh
ID: 39179426
Thanks; I looked at the latest syslog (file attached) and see this strange email attempts. there are other syslog.# files with similar entries and previous dates almost form the time I notice constant activity.

Have no idea where they are coming from. Is this could be the reason for activities?  Note that this machine has a static IP on the net so I can login to it remotely.

Any suggestion as how to stop these activities? Have not yet killed snmpd process. If I kill this process does it interfere with my network connection?
syslogcopy
0
 
LVL 40

Expert Comment

by:jlevie
ID: 39179440
Sendmail is running, though it looks like it might be misconfigured. Those log entries are spammers trying to use this system as a relay. You could disable sendmail, but the OS uses it for internal messages. The better approach would be to install a firewall and block inbound traffic on port 25. And since there could be other ports open to the Internet above and beyond what the server requires, the firewall should be configured to only allow network traffic on the necessary ports.

Oh yeah, if only a few individuals ssh into the system, move ssh to some non-standard port to discourage ssh probes.
0
 

Author Comment

by:faridsaleh
ID: 39179995
Thanks;

While I generally understand your directions, I don't know how to do this. Would installing firewall means activating ipf? If yes, I looked at the ipf.conf file and it is empty. Can you send me an example of the ipf.conf file that blocks inbound traffic. Does that prevent other network activities. This server need to do the following on the network.
- For some applications check license on a PC. PC is the license server.
- Need to see the other machines file system.
- Need to share some of its file systems with other machines.
- Should be able to communicate with ExpanDrive running on a PC to see its file system. and I guess ExpanDrive uses ssh.

Regards.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 61

Expert Comment

by:gheist
ID: 39180678
Do you use some enterprise monitoring software? That might query e.g oracle status via SNMP...
0
 
LVL 22

Expert Comment

by:blu
ID: 39180823
The proper way to disable snmp is to run this command:

svcadm disable svc:/application/management/snmpdx:default

What does the email messages in the syslog say? Maybe snmp is just trying to send you an alert about something and can't do it.
0
 

Author Comment

by:faridsaleh
ID: 39186545
Thanks for the comments. Sorry I was busy at work and did not get to this.

In response to gheist; No, I don't use and monitoring software, unless something started on the machine that I don't know. This machine is at my home office and is not part of a large network. I ran engineering applications on it.

In response to blu; I ran the command, but it does not seem to stop the snmpd. It is still running. I have a copy of syslog file attached to my previous comments if you would like to look at. based on syslog it seems that machine is trying to relay some emails that I do not know the sender or receiver.
0
 
LVL 22

Accepted Solution

by:
blu earned 500 total points
ID: 39186653
I missed one service. Run this command:

svcadm disable svc:/application/management/sma:default
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39187711
Can you send me an example of the ipf.conf file that blocks inbound traffic.

# ipf sample dummy conf

 # allow outgoing traffic from the machine
pass out all

# allow incoming ssh from everywhere, log first packet of each session
pass in log first quick from any to 0/32 port = 22 keep state

# allow network traffic from lan 10
pass in from 10/8 to 0/32 keep state

# explicitely forbid email traffic from the WAN
# useless but i add it so you have the syntax for interface matching
# this is more secure than using ip addresses
# the interface name is the same as in ifconfig
block in on WANIFACE from any to any port = 25

# block everything else
block in all

Open in new window


----

but then such a volume of email is by no way what makes snmpd run wild

if you block the snmp port in the firewall without stopping the process, you'll be able to determine if some external device are polling snmp info or if snmp is going wild by itself

it would be very interesting to run a trace on the snmp process to know what is wrong, but if you do not need it (which i assume if you do not know about it), you can safely kill and disable it. wether you use it or not, the network will most definitely not die if you kill it
0
 

Author Comment

by:faridsaleh
ID: 39189783
Thanks blu the command worked and stopped the activity. How it was enabled I have no idea.

Thanks skullnobrains too. I will keep the copy of the ipf.conf. May come handy sometime.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now