From: Jonathan Williams (jonathw@shubertorg.com)
Date: Wed Apr 30 2003 - 16:06:21 EDT
Thank you all for the quick and very informative responses. They were all
pretty much the same thing, so I will just paste one of the responses I
received. The following was sent by Joseph Senulis:
"Hi Jonathan,
What you sort of did was prevent any public read access of any SNMP
info. This may be a good thing. However, the default /etc/snmpd.conf has
this as being the only access to SNMP. Assuming that you were working in an
unmodified config file, you effectively turned off all access to SNMP. If
you don't want SNMP, then the best/safest thing is to not start it in the
first place. (You can rename the /sbin/rc*.d/*snmpd files to do that.) If
you do need to give read access to external monitoring SNMP devices, then
the recommended procedure is to use a different community string than
"public" for both the monitor and the daemon. The issue is that a cracker
can use an SNMP monitor to query an SNMP daemon and get lots of information
about what is running there. Since all SNMP daemons come with the public
community string by default, this is an easy thing for a cracker to check.
It is still possible for a cracker to try all possible community strings to
query the SNMP daemon, but the risk is much lower.
--Joe"
So that pretty much explains it.
Oh, and I'd also like to thank Selden Ball for pointing out that I was confusing
SNMP (Simple Network Management Protocol) with SMTP (Simple Mail Transfer
Protocol) . ;)
Thank you to everone else for their replies as well.
Jonathan Williams
Unix Systems Administrator
The Shubert Organization, Inc.
----- Original Message -----
From: "Jonathan Williams" <jonathw@shubertorg.com>
To: "tru64-unix-managers" <tru64-unix-managers@ornl.gov>
Sent: Wednesday, April 30, 2003 3:11 PM
Subject: SNMP question
> We recently had a security audit done on our systems (ES40 ES45 running a
> mixture of Tru64 5.1a and 5.1b). One of the items that came up as a problem
was
> that an SNMP agent responds to the community name "public". They suggest
> setting the community strings to a non-default name.
> Now I really don't know anything about SNMP, but I did a little digging and
> found the config file /etc/snmpd.conf and took a look at it. Sure enough,
there
> was a line that read "community public 0.0.0.0 read" and
this
> was the only "community" line in the file. So on a test system I just
commented
> out this line, did a "/sbin/init.d/snmpd read", and did an SNMP request from
> another system (snmp_request <system name> public get 1.3.6.1.2.1.1.1.0) and
got
> a "no reply" which I figure is a good thing (this same request done on another
> system came up with lots of system info).
> I was just wondering if it was OK to leave this line commented out? Or should
I
> change the name "public" to something else? I figure this has something to do
> with email (but I could be wrong), and being we don't have any email programs
> running on these systems, I figure I could just leave this commented out. I
> know this is probably a "newb" question, but the bosses want any security
holes
> plugged ASAP. TIA
>
> Jonathan Williams
> Unix Systems Administrator
> The Shubert Organization, Inc.
>
>
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:17 EDT