How to disable SNMP v1 and v2c leaving SNMPv3 enabled?

What is SNMP?

Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. Microsoft Windows Server 2003 provides SNMP agent software that works with third-party SNMP management software to monitor the status of managed devices and applications.

different SNMP versions? v1, v2c, v3?

  • SNMP version 1: the oldest flavor.  Easy to set up – only requires a plaintext community. The biggest downsides are that it does not support 64 bit counters, only 32 bit counters, and that it has little security. A community string sent in plaintext, possibly from a restricted range of allowed IP addresses, is as good as the security gets. In other words, no security from someone with access to the network – such a person will be able to see the community string in plaintext, and spoofing a UDP packet’s source IP is trivial.  (On the other hand, if your device is set up to only allow SNMP read only access – the risk is fairly small, and confined to evil people with access to your network. If you have evil people with this access, SNMP is probably not what you need to be worrying about.)

 

  • SNMP version 2c: in practical terms, v2c is identical to version 1, except it adds support for 64 bit counters.  This matters, especially for interfaces. Even a 1Gbps interface can wrap a 32 bit counter in 34 seconds. Which means that a 32 bit counter being polled at one minute intervals is useless, as it cannot tell the difference between successive values of 30, 40 due to the fact that only 10 octets were sent in that minute, or 30, 40 due to the fact that 4294967306 (2^32 +10) octets were sent in that minute.  Most devices support snmp V2c nowadays, and generally do so automatically. There are some devices that require you to explicitly enable v2c – in which case, you should always do so. There is no downside.

 

  • SNMP version 3: adds security to the 64 bit counters. SNMP version 3 adds both encryption and authentication, which can be used together or separately.  Setup is more complex than just defining a community string – but then, what security is not?  But if you require security, this is the way to do it.

Note that while you may have to configure the snmp version on your devices that are being monitored, you do not have to configure the version to be used in LogicMonitor. LogicMonitor will automatically try version 3; if that does not succeed, it tries version 2, and only if that does not respond will it use version 1. We try to keep the work away from you when we can.

 

Security issues and vulnerabilities of the SNMP protocol

 

How to disable SNMP v1 and v2c leaving SNMPv3 enabled?

In order to disable SNMP v1 & v2 in RHEL 5 and RHEL 6 you must edit snmpd.conf file located in /etc/snmp :

comment  out these two lines:

com2sec notConfigUser  default       public
access  notConfigGroup ""      any       noauth    exact  systemview none none

In order To disable SNMP v1 only, just comment out this line:

group notConfigGroup v1 notConfigUser

NOTE : SNMP v2c is still available.

In order To disable SNMP v2 as well comment out this line too:

group   notConfigGroup v2c  notConfigUser

Reload the service by this command :

#service snmpd reload

Check if you successfully disabled SNMP v1 & v2 :

# snmpwalk -v1 -c public localhost
Timeout: No Response from localhost

# snmpwalk -v2c -c public localhost
Timeout: No Response from localhost

Add a Comment

Your email address will not be published. Required fields are marked *