Mailinglist Archive: opensuse-security (556 mails)
| < Previous | Next > |
AW: [suse-security] ucd-snmpd default configuration
- From: "Reckhard, Tobias" <Reckhard@xxxxxxxxxx>
- Date: Mon, 3 Sep 2001 08:54:45 +0200
- Message-id: <96C102324EF9D411A49500306E06C8D13481B6@xxxxxxxxxxxxxxxxx>
> SNMP is not only read but write typically. Community strings are often
> easy
> to guess, easier to sniff (cleartext). I suggest _heavilly_ firewalling
> snmp
> and maybe using ssh port forwarding or ipsec to encrypt it.
>
SSH won't help, as it can only perform port forwarding of TCP ports, AFAIK,
while SNMP uses UDP only. I suggest a physically separate LAN or IPSec for
SNMP (and syslog, BTW). And you should configure your SNMP server as tightly
as possible. Make snmpwalk show only what it needs to.
Cheers
Tobias
> easy
> to guess, easier to sniff (cleartext). I suggest _heavilly_ firewalling
> snmp
> and maybe using ssh port forwarding or ipsec to encrypt it.
>
SSH won't help, as it can only perform port forwarding of TCP ports, AFAIK,
while SNMP uses UDP only. I suggest a physically separate LAN or IPSec for
SNMP (and syslog, BTW). And you should configure your SNMP server as tightly
as possible. Make snmpwalk show only what it needs to.
Cheers
Tobias
| < Previous | Next > |