HPE Community
Operating System - HP-UX
1830944 Members
2257 Online
110017 Solutions
New Discussion

SNMP Community Strings - not secure enough?

 
Duncan Beattie
Occasional Advisor

‎07-05-2002 01:49 AM

‎07-05-2002 01:49 AM

SNMP Community Strings - not secure enough?

Hi

I need to have SNMP daemon running on my HP servers, so cannot turn it off. I have configured a complex community string in snmpd.conf and set daemon to reply only to our management server's snmp requests (on IP 100.20.30.40 for example).

/etc/SnmpAgent.d/snmpd.conf therefore has these entries:
get-community-name: {complex string} IP: 100.20.30.40 OVhost
set-community-name: {complex string} IP: 100.20.30.40 OVhost
trap-dest: OVhost

From my Openview station (100.20.30.40 - OVhost) I can run..
#snmpwalk -c (complex string) hostname system
..and I get a reply.

This configuration bypasses the default 'public' community string vulnerability, but I have recently found (through a Nessus scan) that my snmp daemon is replying to hosts (other than 100.20.30.40) with a community string of 'snmpd'.

#snmpwalk -c snmpd hostname

Are there further tweaks I can make to the snmp configuration, or am I better using TCP wrappers to address this vulnerability.

Thanks in advance.

Duncan


0 Kudos
Reply
4 REPLIES 4
Wodisch_1
Honored Contributor

‎07-06-2002 02:53 PM

‎07-06-2002 02:53 PM

Re: SNMP Community Strings - not secure enough?

Hi Duncan,

what you have found is an old SNMP weakness (hardcoded SNMP community strings), which was disclosed to the public the previous year (Sun did it, too).
You'll have to upgrade to the current version...

And for security reasons your only choice is SNMPv3, which encrypts the whole communication...

Just my $0.02,
Wodisch
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-07-2002 05:12 AM

‎07-07-2002 05:12 AM

Re: SNMP Community Strings - not secure enough?

Hi,

Some additional security measures you can take:

1) have the network management station (NMS) residing in the same subnet as your managed HP-UX servers behind the firewall and have your firewall filter out all inbound snmp service port 161/162 UDP/TCP traffic. A network-based firewall is ideal, if not a host-based tcpwrapper or netfilter should suffice.

2) run your snmp daemons to run at a different port e.g. UDP 65535. This is a kind of security by obscurity in that sense but helps mitigate some part of the security risk involved with snmp.

3) allow only read-only MIB access via snmp (i.e. snmpget, snmpwalk). For security reasons, don't ever allow a write to the MIB (i.e. snmpset).

4) install your server with the latest snmp-related security patches.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎07-08-2002 06:52 AM

‎07-08-2002 06:52 AM

Re: SNMP Community Strings - not secure enough?

If your router supports it, filter snmp traffic to allow
only the control station to send/recieve SNMP requests.

As already noted restrict SNMP at all your firewalls.

Ipwrappers would be a nice enhancement to SNMP security.
0 Kudos
Reply
Duncan Beattie
Occasional Advisor

‎07-08-2002 07:00 AM

‎07-08-2002 07:00 AM

Re: SNMP Community Strings - not secure enough?

Thanks very much for your replies - I think I'm going to introduct IPFiltering on the HPUX 11.00 servers that support it, and TCP Wrappers on the 10.20 boxes.

Thanks again for your advice

Duncan
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.