Hardening SNMP
If the SNMP service is to be made available, it must first be hardened by deleting communities, creating snmpv3 users, and applying cryptographic settings.
Note
SNMP may not be required for normal operations, so this optional hardening step can be done at the end.
To harden SNMP, do the following:
Enter the following command to stop the SNMP service (if not already stopped):
$ service snmp stopDelete default v1/v2c communities:
$ nmcfg community delete admin$ nmcfg community delete publicDefine a user for remote administrator or NMS console. Do not use MD5 for authentication or DES for privacy on a hardened system:
$ nmcfg user define realadmin [sha] "pass phrase" [aes] "pass phrase"$ nmcfg access usm permit realadmin admin [priv]Example:
JS$ nmcfg user define realadmin sha PassPhrase1 aes PassPhrase2 Starting SNMP Service $ nmcfg access usm permit realadmin admin priv Starting SNMP Service $ nmcfg access usm model perm/group level user/community source -------- --------------- ------- -------------------- --------- usm administrator noauth jsmith - usm administrator auth jsmith3 - usm administrator priv realadmin -Restart the SNMP service:
$ service snmp startVerify the SNMP settings:
$ nmcfgExample:
JS$ nmcfg system parameter value ------------------------- ----------------------------------- engineid 0x80001f88030050c2a99d7e contact <undefined> location <undefined> model perm/group level user/community source --------- ----------------- ------- -------------------- ------- usm administrator priv realadmin - auth protocol priv protocol user ----------------- ----------------- -------------------- SHA AES realadmin