My Security Scan is detecting the SNMP string "Public", is this a risk.
My Security Scan is detecting the SNMP string "Public", is this a risk.
Our current practice for the SNMP "server" on a Statseeker host is to disable the bsnmpd daemon and reset the config to the FreeBSD default settings for the Statseeker 5.6.2 upgrade and any following upgrades.
If customers wish to monitor the Statseeker host via SNMP they need to copy away their config prior to the upgrade and reconfigure it to the FreeBSD version requirements post upgrade.
Therefore the read community string being the default of "public" is not a security risk on an upgraded host as there is nothing active that will respond to any SNMP "requests".
If you wish to change the FreeBSD default community strings please edit (as root) the file /etc/snmpd.config.
e.g.
statseeker$ su -
Password:
#ee /etc/snmpd.conf
Find the following lines in the file:
read := "public"
write := "geheim"
trap := "mytrap"
... and change them to what you would like.
You can also check that the SNMP "server" process is disabled in /etc/rc.conf:
bsnmpd_enable="NO"
And then check that the bsnmpd daemon is not running:
# service bsnmpd status
bsnmpd is not running.
For more information there are lots of online pages discussing this subject based on the FreeBSD manual linked below:
https://man.freebsd.org/cgi/man.cgi?query=snmpd.examples&sektion=5&manpath=FreeBSD+Ports+14.1