Cisco SNMP Security

Cisco SNMP Security

If SNMP is enabled, some baisc security must be done!
See Config Samples.

Warning

NEVER use community strings like "public","private","cisco","router","secret",.....
because, most SNMP-Bruteforcer try this words.
Not allow RW, unless you are using it.

SNMP Reboot

If you think, it's a good idea, to allow to reboot the router via SNMP, you must make following configs

	snmp-server community private RW    
	snmp-server system-shutdown

And for Testing

	snmpset -c private -v 2c 192.168.2.150 .1.3.6.1.4.1.9.2.9.9.0 i 2

SNMP Config Sample

Simple One

	!
	! simple one
	!	
	snmp-server location at_a_secret_place
	snmp-server contact haxor
	!
	snmp-server community public RO
	snmp-server community private RW
	!
	!
	logging snmp-authfail

Advanced One

	!
	! advanced one
	!	
	snmp-server location at_a_secret_place
	snmp-server contact haxor
	!
	! protect with Accesslist 
	!
	snmp-server community public RO 5
	snmp-server community private RW 6
	!
	! log wrong SNMP Communtitys
	!
	logging snmp-authfail 
	!
	! access-list for RO
	!
	access-list 5 permit 192.168.2.100
	access-list 5 permit 192.168.2.101
	!
	! access-list for RW
	!
	access-list 6 permit 192.168.2.101
	!

Advanced One with a view "cuteview"

	!
	! advanced one with a view
	!	
	snmp-server location at_a_secret_place
	snmp-server contact haxor
	!
	! view cutview
	!
	snmp-server view cutdown internet included
	snmp-server view cutdown ciscoFlashFiles excluded
	!
	! protect with Accesslist 
	!
	snmp-server community public view cutdown RO 5
	snmp-server community private view cutdown RW 6
	!
	! log wrong SNMP Communtitys
	!
	logging snmp-authfail 
	!
	! access-list for RO
	!
	access-list 5 permit 192.168.2.100
	access-list 5 permit 192.168.2.101
	!
	! access-list for RW
	!
	access-list 6 permit 192.168.2.101
	!

SNMP Info

If "logging snmp-authfail" is enabled, you see following , if the log files, if the Community is wrong. (See Advanced One with a view "cuteview")

	Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98

And if you have a "access-list" , and you send SNMP request with the wrong Community you see the same:

	Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98

Only if you have the permited IP from the access-list and the correct Community, then the ACL match.
Fact:
The ACL is matching after the Authentication is checkt.