cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 13

SNMP v3 network source restriction?

(Recycling this from "SNMP v3 network source restriction?" question on StackOverflow that so far got no answers.)

How does one restrict a set of SNMPv3 credentials to only work from a specific IP (range)? I.e. what is the minimum valid "snmpd.conf" file (on a CentOS 7.x host) where external SNMPv3 requests are restricted to a specific IP range?

My '/etc/snmp/snmpd.conf':

com2sec mynetwork  192.168.0.0/24    read_only_community_string
group   MyROGroup  usm               mynetwork
view    all        included  .1
access  MyROGroup  ""      any       noauth    exact  all    none   none

"mynetwork" SNMP v3 user was created via 'net-snmp-create-v3-user' command and it works (polling data via a Solarwinds server). However when I update the snmpd.conf file with a bogus IP (e.g. 1.1.1.1) - it still works. When I do a similar configuration with SNMP v2 and community strings - the restrictions work as expected.

Help! 🙂

P.S. If this makes it easier: what is the simplest possible SNMP v3 configuration restricting access to a specific IP range?

P.P.S. To reiterate what I did:

  1. Ran "net-snmp-create-v3-user" utility on a CentOS 7.7 VM to create an SNMP v3 "user" (with identical "authpass" and "privpass"). This appended "rouser mynetwork" line to the existing "snmpd.conf". Restarted SNMP on the host.
  2. Entered SNMP v3 credentials in Solarwinds NPM/SAM for the target host and confirmed they're working ("test credentials", stats collection, "list resources", etc.).
  3. Removed the "rouser mynetwork" line from "snmpd.conf", replaced with the above code block. Restarted SNMP service. Confirmed SNMPv3 credentials were still working in Solarwinds; host was getting polled, stats collected, "list resources" - working as expected after a refresh.
  4. Replaced "com2sec mynetwork 192.168.0.0/24 read_only_community_string" line in snmpd.conf with "com2sec mynetwork 1.1.1.1 read_only_community_string" essentially telling SNMP to only allow "mynetwork" access from a bogus IP address 1.1.1.1. Restarted SNMP service. At this point I expected the SNMP v3 credentials to stop working in my Solarwinds server, for this host.
  5. Observed SNMP v3 credentials still working: "test credentials" - green, "list resources" producing expected results after a refresh.

P.P.P.S. This is not a firewall question, please do not answer it as such. 🙂 The question is about tightening SNMP v3 configuration without involving a firewall. More on this:

  1. Changing firewall rules in the enterprise is a way bigger deal vs. tightening application or service configuration.
  2. If someone disables the firewall temporarily or by mistake, the service remains more secure.
  3. Attack surface reduction must happen at every level especially application or service one.

Thanks!

Labels (1)
Tags (2)
0 Kudos
0 Replies