HPE Community
Switches, Hubs, and Modems
1753964 Members
7403 Online
108811 Solutions
New Discussion юеВ

Unsecure SNMP default settings?

 
RicN
Valued Contributor

тАО09-17-2008 03:42 AM

тАО09-17-2008 03:42 AM

Unsecure SNMP default settings?


Hello all,

in most Procurve switches is the following line default:

snmp-server community "public" unrestricted

That does mean that the switch is open for unrestricted read/write from any SNMP device that knows the default "password" / community name?
0 Kudos
6 REPLIES 6
Matt Hobbs
Honored Contributor

тАО09-17-2008 04:04 AM

тАО09-17-2008 04:04 AM

Re: Unsecure SNMP default settings?

Yep
0 Kudos
RicN
Valued Contributor

тАО09-17-2008 04:09 AM

тАО09-17-2008 04:09 AM

Re: Unsecure SNMP default settings?


>Yep

That is not so good. :)

Is the recommendation to change the community name, or to switch to "restricted" mode or to disable SNMPv2 totaly?
0 Kudos
Matt Hobbs
Honored Contributor

тАО09-17-2008 04:54 AM

тАО09-17-2008 04:54 AM

Re: Unsecure SNMP default settings?

Ideally you'd use SNMPv3 but if you're not too worried about any eavedropping, changing the community names would go a long way.
0 Kudos
Andr├й Beck
Honored Contributor

тАО09-21-2008 06:04 AM

тАО09-21-2008 06:04 AM

Re: Unsecure SNMP default settings?

Hi,

interesting default, isn't it?

I assume it's there for easy grabbing of new devices by PCM+, neglecting all the potential issues that follow. A question of misinterpretation of destination audience, if you ask me. Helping fools build networks will end in networks built by fools...

In a typical internal network, I propose to degrade the community "public" to read-only and operator level and introduce a new read-write and unrestricted community if necessary (let's say for PCM+) - and of course not call it "private" ;)

If there are concerns about "public", get rid of it altogether. If there are even more concerns, either switch to SNMPv3 or get rid of SNMP. It's a question of how you manage the devices.

Andre.
0 Kudos
RicN
Valued Contributor

тАО09-21-2008 06:24 AM

тАО09-21-2008 06:24 AM

Re: Unsecure SNMP default settings?


Hello Matt and Andre, and thank you for your answers!

It is actually very strange that HP in 2008 still uses this kind of default. (And of course other strange things like http and telnet server enabled by default, with dhcp address and no password.)

>Helping fools build networks will end in
>networks built by fools...

That is most likely true. I belive Microsoft has suffered a lot from this, by having operating systems that probably in reality have the same complexity as any Unix-systems or similar, but giving them an interface that makes it possible for most people to install it without any knowledge - that will of course lead to a lot of badly runned servers..
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО09-21-2008 11:12 AM

тАО09-21-2008 11:12 AM

Re: Unsecure SNMP default settings?

Hi

Few stuff i always recommend to do on any new ProCurve Switch:

- Disable the default SNMP settings.
- Create a new SNMP communities, one for Read, and another for Read/Write (IN case PCM+ or any other management software is installed).
- Enable Console inactivity timer:
Sw(config)#console inactivity 15 (minutes).
- Set the Date and Time since its VERY important to keep an eye on the logs.
- Set the Syslog server destination as the PCM+ (if its installed).
- If Vlan1 will not be used, Disable the DHCP IP from this Vlan.

Good Luck !!!
Science for Everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.