* Reckhard, Tobias wrote on Mon, Sep 03, 2001 at 10:07 +0200:
SNMP is not only read but write typically.
In it's default configuration, really?
I'd suppose so as well. It depends on the configuration of the SNMP server.
Well, I had guessed the same :) I'm interested in infos about the default config. As I told, it's "not" configured :)
I thought it's possible to set up SNMP using some encryption by itself, but a quick search didn't found a useful HOWTO neither about SNMP nor encryption nor security... Except "disable if not needed"...
AFAIK, SNMPv3 will support encryption and a decent authentication scheme, but most SNMP implementations out there are still v1 or v2. Actually, I think that the SNMPv3 standard hasn't even been passed yet.
Ohh, it's amazing... I cannot understand why it's so problematic to add some secure hash to a packet for message authentication. Would be better than nothing. Hum.
Yep, of course the firewalls restrict it to just one machine, but I would like to make sure that the snmpd will not allow bad things under any cirumstances. Firewalling is quite clear, like always :)
Well, you can never be 100% sure.. (responding to your phrase. "..under *any* circumstances...". And whether things are good or bad depends a lot on the context they happen in.
Yep, of course, I meant, even for clients with the right anything it should reject any write access.
IPSec with each machine is to expensive and won't help, since it the monitor gets compromised IPSec can be used by unauthorized software - same for SSH, so I don't see a big improvement.
Why do you consider IPSec too expensive? As it is, you don't need to do IPSec with all hosts, you can configure it on a host by host basis. In fact, you need to, unless you've got DNSSEC set up, as you need a host-specific authentication entity for each host.
:) Well, I want to set up SNMP for minimal statistic collections (in this first step). I though this is easy, but I think I need some hours to create a config file. Maybe somebody of this list could post some excerpts with hints. But thanks for the tip.
IPSec can prevent spoofing and keep sniffers from reading your SNMP data as well.
Yep, I run IPSec on serveral machines and I like it, really. But now I have some machines with SNMP. I don't want to hack them all in a IPSec config. Some of them run old distros but are not scheduled for updates. All-in-all it would take hours to set it up and test it. Adressspoofing is a topic and the reason for my wish to disable "write" operations. Does somebody on the list has a "more-secure-than-default" config for snmpd for r/o access only? I would like to get a copy since I think its easier and more secure to adapt such a file. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.