FAQ:Agent 20

From Net-SNMP Wiki
Jump to: navigation, search

How can I stop other people getting at my agent?

Firstly, are you concerned with read access or write access?

As far as changing things on the agent is concerned, there is relatively little that can actually be altered (see the entry Why can't I set any variables in the MIB?).

If you are using the example config file, this is set up to allow read access from your local network, and write access only from the system itself (accessed as 'localhost'), both using the community name specified. You will need to set appropriate values for both NETWORK and COMMUNITY in this file before using it. This mechanism can also be used to control access much more precisely. (see the next few questions for details)

Other options include:

  • Blocking access to port 161 from outside your organisation (using filters on network routers)
  • Using kernel-level network filtering on the system itself (such as IPTables)
  • Configuring TCP wrapper support ("--with-libwrap")
    This uses the TCP 'libwrap' library available separately) to allow/deny access via /etc/hosts.{allow,deny}

For strict security you should use only SNMPv3, which is the secure form of the protocol. However, note that the agent access control mechanisms does not restrict SNMPv3 traffic by location - an SNMPv3 request will be accepted or rejected based purely on the user authentication, irrespective of where it originated. Source-based restrictions on SNMPv3 requests would need to use one of the "external" mechanisms listed above.

   FAQ:Agent
   
  1. What MIBs are supported?
  2. What protocols are supported?
  3. How do I configure the agent?
  4. How do I remove a MIB from the agent?
  5. I've installed a new MIB file. Why can't I query it?
  6. How do I add a MIB to the agent?
  7. What's the difference between 'exec', 'sh', 'extend' and 'pass'?
  8. What's the difference between AgentX, SMUX and proxied SNMP?
  9. What is the purpose of 'dlmod'?
  10. Which extension mechanism should I use?
  11. Can I use AgentX when running under Windows?
  12. How can I run AgentX with a different socket address?
  13. How can I turn off SMUX support?
  14. How can I combine two copies of the 'mib2' tree from separate subagents?
  15. What traps are sent by the agent?
  16. Where are these traps sent to?
  17. How can I send a particular trap to selected destinations?
  18. When I run the agent it runs and then quits without staying around. Why?
  19. After a while the agent stops responding, and starts eating CPU time. Why?
  20. How can I stop other people getting at my agent?
  21. How can I listen on just one particular interface?
  22. The agent is complaining about 'snmpd.conf'. Where is this?
  23. Why does the agent complain about 'no access control information'?
  24. How do I configure access control?
  25. How do I configure SNMPv3 users?
  26. The 'createUser' line disappears when I start the agent. Why?
  27. What's the difference between /var/net-snmp and /usr/local/share/snmp?
  28. My new agent is ignoring the old snmpd.conf file. Why?
  29. Where should the snmpd.conf file go?
  30. Why am I getting "Connection refused"?
  31. Why can't I see values in the UCDavis 'extensible' or 'disk' trees?
  32. Why can't I see values in the UCDavis 'memory' or 'vmstat' tree?
  33. What do the CPU statistics mean - is this the load average?
  34. How do I get percentage CPU utilization using ssCpuRawIdle?
  35. What about multi-processor systems?
  36. The speed/type of my network interfaces is wrong - how can I fix it?
  37. The interface statistics for my subinterfaces are all zero - why?
  38. Does the agent support the RMON-MIB?
  39. What does "klread: bad address" mean?
  40. What does "nlist err: wombat not found" (or similar) mean?
  41. What does "Can't open /dev/kmem" mean?
  42. The system uptime (sysUpTime) returned is wrong!
  43. Can the agent run multi-threaded?
  44. Can I use AgentX (or an embedded SNMP agent) in a threaded application?