Email Subscription Notifications Suspended Temporarily
We are in the process of making navigation in the Servers and Operating Systems forums simpler and more direct. While doing this, we have to temporarily suspend email notifications for subscriptions. If you are subscribed to one or more discussion boards or blogs in the community, please check them daily to see new content. Notifications will be turned back on in a few days. We apologize for any inconvenience this may cause. Thanks, Warren_Admin
Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Unsecure SNMP default settings?

RicN
Valued Contributor

Unsecure SNMP default settings?


Hello all,

in most Procurve switches is the following line default:

snmp-server community "public" unrestricted

That does mean that the switch is open for unrestricted read/write from any SNMP device that knows the default "password" / community name?
6 REPLIES
Matt Hobbs
Honored Contributor

Re: Unsecure SNMP default settings?

Yep
RicN
Valued Contributor

Re: Unsecure SNMP default settings?


>Yep

That is not so good. :)

Is the recommendation to change the community name, or to switch to "restricted" mode or to disable SNMPv2 totaly?
Matt Hobbs
Honored Contributor

Re: Unsecure SNMP default settings?

Ideally you'd use SNMPv3 but if you're not too worried about any eavedropping, changing the community names would go a long way.
André Beck
Honored Contributor

Re: Unsecure SNMP default settings?

Hi,

interesting default, isn't it?

I assume it's there for easy grabbing of new devices by PCM+, neglecting all the potential issues that follow. A question of misinterpretation of destination audience, if you ask me. Helping fools build networks will end in networks built by fools...

In a typical internal network, I propose to degrade the community "public" to read-only and operator level and introduce a new read-write and unrestricted community if necessary (let's say for PCM+) - and of course not call it "private" ;)

If there are concerns about "public", get rid of it altogether. If there are even more concerns, either switch to SNMPv3 or get rid of SNMP. It's a question of how you manage the devices.

Andre.
RicN
Valued Contributor

Re: Unsecure SNMP default settings?


Hello Matt and Andre, and thank you for your answers!

It is actually very strange that HP in 2008 still uses this kind of default. (And of course other strange things like http and telnet server enabled by default, with dhcp address and no password.)

>Helping fools build networks will end in
>networks built by fools...

That is most likely true. I belive Microsoft has suffered a lot from this, by having operating systems that probably in reality have the same complexity as any Unix-systems or similar, but giving them an interface that makes it possible for most people to install it without any knowledge - that will of course lead to a lot of badly runned servers..
Mohieddin Kharnoub
Honored Contributor

Re: Unsecure SNMP default settings?

Hi

Few stuff i always recommend to do on any new ProCurve Switch:

- Disable the default SNMP settings.
- Create a new SNMP communities, one for Read, and another for Read/Write (IN case PCM+ or any other management software is installed).
- Enable Console inactivity timer:
Sw(config)#console inactivity 15 (minutes).
- Set the Date and Time since its VERY important to keep an eye on the logs.
- Set the Syslog server destination as the PCM+ (if its installed).
- If Vlan1 will not be used, Disable the DHCP IP from this Vlan.

Good Luck !!!
Science for Everyone