[rrd-users] Re: Another MRTG security issis

Dave Plonka plonka at doit.wisc.edu
Mon Feb 4 21:10:29 MET 2002


On Mon, Feb 04, 2002 at 11:37:23AM -0800, Logg, Connie A. wrote:
> 
> 
> One of my concerns has always been the apparent need to have the snmp
> community read string in the configuration file.  

This is common for many network management systems, commercial and
otherwise.  They presume that the localhost is at least as secure as
your network.  (Not that this is always the case...)

However, it's not really all that helpful to protect the SNMP read
community value in the file-system.  This is because SNMP v1/v2 will
just put the community on the wire as plain text anyway.  So, anyone
with root privilege on the one of the hosts involved in the SNMP
transaction can simply run tcpdump or ethereal to snoop the traffic and
determine the read community.

If you make it so that the script is only readable by root (or some
other user that you can only become by becoming root first), you
essentially avoid having uprivileged users reading the file to
determine your community string.  (Disallowing read-permission for
"other" may be sufficient, if you set the script and conf file to have
the right group.)

> Is there a way around this?  

Many of us just use "public" as our read-community, but then use our
router's SNMP security features to limit which hosts can perform SNMP
operations.  This is so-called "host-based" security, and is about all
the SNMP v1/v2 offers.  (Alos, most of us never enable nor use SNMP
write capabilities...)

Dave

-- 
plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI

--
Unsubscribe mailto:rrd-users-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:rrd-users-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/rrd-users
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi



More information about the rrd-users mailing list