[rrd-users] Re: Another MRTG security issis

David Gabler dgabler at TRUELINK.com
Mon Feb 4 20:52:42 MET 2002


The only issue here is where would you store it?  If you pass it in on the
command line all a user needs to do is 'ps -H aux --cols=300' to get the
password (or check out the mrtg pid in /etc/proc).  You could store the snmp
password in a crypted file, and have a simple batch program that decrypts
the file grabs the string then replaces the string for the proper password
in the config, runs mrtg, deletes the config.  That is a mess.  and you have
to have the decryption key in plain text.

Snmp is also not secure(v 1 at least).  In my mind it ranks up there with
telnet.  Just make sure you have your community strings set to something
other than public/private and that your file permissions are correct. 

If you are truly paranoid never use the set string. Change it to something
insane or just blanker disable sets.

with public strings  the worst that can happen is some one can try to DOS
you with tons of SNMP requests (or heavens forbid see your traffic stats)
but your systems should be set up good enough to not allow SNMP from outside
ip's otherwise you have even bigger problems. 

Hope this is not just a bunch of confusing double speak.

David


> -----Original Message-----
> From: Logg, Connie A. [mailto:cal at SLAC.Stanford.EDU]
> Subject: [rrd-users] Another MRTG security issis
> 
<snip>
> One of my concerns has always been the apparent need to have 
> the snmp community read string in the configuration file.  
> 
> Is there a way around this?  
> 
> Connie Logg
> 
> Connie Logg - Network Analyst - 650-926-2879
</snip>

--
Unsubscribe mailto:rrd-users-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:rrd-users-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/rrd-users
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi



More information about the rrd-users mailing list