This commit is contained in:
waldek 2021-07-12 11:25:33 +02:00
parent e0744bd134
commit 28a9c2483d
1 changed files with 22 additions and 0 deletions

View File

@ -415,3 +415,25 @@ If all of this is working it's time to stop offering version 1 and version 2.
This is again done on the **client** in the `/etc/snmp/snmpd.conf` file. This is again done on the **client** in the `/etc/snmp/snmpd.conf` file.
Locate the line starting with `rocommunity` and comment them out. Locate the line starting with `rocommunity` and comment them out.
Restart the service and now you're only offering v3 connections! Restart the service and now you're only offering v3 connections!
### Additional security with iptables
We have not seen iptables yet, but it's the main program in Linux to control incoming and outgoing connections.
Finally, we could ensure that no one except us can access SNMP form outside. The simplest way to achieve this is to add some firewall rules with iptables.
To ensure the iptable configuration will be loaded automatically install the following package in addition:
apt-get install iptables-persistent
This ensures that the iptable rules are automatically loaded after a reboot of the system, the rules will be loaded from a persistent stored file. To trigger an update of the currently used iptables of the system run one of the following commands:
```
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
```
Now we could add 4 new iptables entries to allow only access from our external system and block all other ones. Do not forget to replace 11.11.11.11 with your ip address or range.
```
iptables -A INPUT -s 11.11.11.11 -p udp -m udp --dport 161 -j ACCEPT
iptables -A INPUT -s 11.11.11.11 -p udp -m udp --dport 162 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 161 -j DROP
iptables -A INPUT -p udp -m udp --dport 162 -j DROP
```