SNMP Agent Default Community Name (public) (High) risk

DCIM_Support · ‎2020-07-04

This question was originally posted on DCIM Support by Shaik Mahboob Ali on 2018-03-28

Hi Team,

Our IT Security is recommendation below. Please advise how to over come this vulnerability of public string.

Synopsis

The community name of the remote SNMP server can be guessed.
Description

It is possible to obtain the default community name of the remote SNMP server.

An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system (if the default community allows such modifications).
Solution

Disable the SNMP service on the remote host if you do not use it. Either filter incoming UDP packets going to this port, or change the default community string

DCIM_Support · ‎2020-07-04

This answer was originally posted on DCIM Support by Christopherus Laurentius on 2018-03-28

DCO?

Do any of the following from Webmin

Disable SNMPv1 if you are not monitoring DCO via SNMP
Use SNMPv3 instead
Or simply change the community string

Enabling Data Center Operation monitoring through Data Center Expert

Edit 1:

DCE:

SNMP access to DCE can be enabled/disabled or you can change the community name from:

Server Access

See Answer In Context

DCIM_Support · ‎2020-07-04

This answer was originally posted on DCIM Support by Christopherus Laurentius on 2018-03-28

DCO?

Do any of the following from Webmin

Disable SNMPv1 if you are not monitoring DCO via SNMP
Use SNMPv3 instead
Or simply change the community string

Enabling Data Center Operation monitoring through Data Center Expert

Edit 1:

DCE:

SNMP access to DCE can be enabled/disabled or you can change the community name from:

Server Access

DCIM_Support · ‎2020-07-04

This comment was originally posted on DCIM Support by Steven Marchetti on 2018-03-28

In addition to Chris' comments, the "public" read string is a common default. It can simply be changed to something other than "public" as you yourself noted.

DCIM_Support · ‎2020-07-04

This answer was originally posted on DCIM Support by Ed Tarento on 2018-04-01

Always change the SNMP V1 community string.

Depending on customer requirements and security considerations I often recommend not using SNMP V1 write.

You can further secure your SNMP agents by allowing only SNMP read (GET etc) from selected IP addresses, e.g. DCE.

DCIM_Support · ‎2020-07-04

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.