HPE Community
Operating System - HP-UX
1848033 Members
2702 Online
104022 Solutions
New Discussion

snmpd.conf & MC/SG

 
SOLVED
Go to solution
Matthew Ghofrani
Regular Advisor

‎10-25-2001 08:02 AM

‎10-25-2001 08:02 AM

snmpd.conf & MC/SG

HP has done a preliminary security survey of our 4 clustered servers. One of the recommendations is to either disable or secure the SNMP service. Are there any "gotchas" I should be aware of in editing snmpd.conf to restrict "get-community-name"? If I only want SNMP for cluster purposes, is listing the four servers in the "get" restriction sufficient?
Life is full of bugs
0 Kudos
3 REPLIES 3
Sridhar Bhaskarla
Honored Contributor

‎10-25-2001 08:37 AM

‎10-25-2001 08:37 AM

Re: snmpd.conf & MC/SG

cmsnmpd, snmp subagent for cluster registers with the master snmp daemon snmpdm. So, restricting the community in /etc/SnmpAgent.d/snmpd.conf would restrict cmsnmpd also.

Now about restricting access to systems, you don't want to specify anything other than your network management server in the snmpd.conf file. You would give access to your NMS server to query MIB objects of the cluster. What is your Network Management server?.

You need to set the get-community-name to anything other than 'public' and restrict access to the IP address of your network management server (or whatever that you use to query snmp MIBs of these servers).
An example configuration is like this

get-community-name some_string_here
get-community-name operator IP:IP_addr_of_nms
trap-dest: IP_addr_of_nms


-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Rainer von Bongartz
Honored Contributor

‎10-25-2001 10:02 PM

‎10-25-2001 10:02 PM

Solution

Re: snmpd.conf & MC/SG

Jerry,

You said you want to use snmp only for 'cluster purposes'. In a high available environement it should make sense to use Event monitoring Services (EMS) from HP to check the status of your HW and certain conditions in your system before they might leasd to a problem.
Parts of EMS depend on snmp and changing community name leads to problems with EMS, which has to be reconfigured also using a different community name.

Just a thought as this has happended to me

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Matthew Ghofrani
Regular Advisor

‎09-20-2005 01:41 AM

‎09-20-2005 01:41 AM

Re: snmpd.conf & MC/SG

Thanks
Life is full of bugs
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.