Package: snmpd Version: 5.9.3+dfsg-2 Severity: wishlist In the snmpd configuration file, by default we have this:
# agentaddress: The IP address and port number that the agent will listen on. # By default the agent listens to any and all traffic from any # interface on the default SNMP port (161). This allows you to # specify which address, interface, transport type and port(s) that you # want the agent to listen on. Multiple definitions of this token # are concatenated together (using ':'s). # arguments: [transport:]port[@interface/address],... agentaddress 127.0.0.1,[::1] # ... # Read-only access to everyone to the systemonly view rocommunity public default -V systemonly rocommunity6 public default -V systemonly What this means is that if someone makes the server publicly available for the sake of monitoring, the server may become available as a DDOS attack lever as well. What I am recommending is that we add a stern warning in the default configuration that changing the listening address and leaving these public access entries intact may result in creating a hazard on the Internet if there are no other precautions taken. Of course, someone experienced with SNMP would know this implicitly, but this is an easy detail to miss given that the community 'public' is a discrete feature of the daemon. Or, to put it another way, adding access control requiring either a community string (other than public) or v3 authentication would not eliminate the open access available via the public community. -- System Information: Debian Release: 13.3 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-32-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages snmpd depends on: ii adduser 3.134 ii debconf [debconf-2.0] 1.5.82 ii init-system-helpers 1.69~deb13u1 ii libc6 2.41-12+deb13u1 ii libsnmp-base 5.9.3+dfsg-2 ii libsnmp40 5.9.3+dfsg-2 ii lsb-base 11.6 ii sysvinit-utils [lsb-base] 3.06-4 snmpd recommends no packages. Versions of packages snmpd suggests: pn snmptrapd <none> -- Configuration Files: /etc/snmp/snmpd.conf changed [not included] -- debconf information excluded
