Re: [squid-users] mrtg

From: Simon White <simon@dont-contact.us>
Date: Wed, 17 Apr 2002 09:23:54 +0000

17-Apr-02 at 13:05, pankaj (pankaj_surat@nettaxi.com) wrote :
>
> snmp_port 3401
> snmp_access allow snmpcom mrtghost
> snmp_access deny all
>
> acl snmpcom snmp_community public
> acl mrtghost src 192.168.1.1/32

FWIW, I would recommend not using "public" as the community name. I know
that there were some big security issues with SNMP, allowing DoS attacks
to many SNMP devices to be reasonably easily perpetrated.

I know that most SNMP devices now have patches available, and I think even
that Squid was not affected (certainly not Squid2.4STABLE6).

However, since the DoS attack relies on the person finding out your
community name, I would urge you to use something other than "public",
which will be any hacker's first guess. I know you have extra protection
because Squid will only allow access, in this example, to the 192.168.1.1
address, but if that host is compromised then an extra level of protection
is afforded by using a non-standard community name (you can use whatever
you want).

-- 
[Simon White. vim/mutt. simon@mtds.com. GIMPS:76.05% see www.mersenne.org]
Neutron stars are almost unimaginably dense: a teaspoon of neutron star
material weighs a billion tons (1.016 billion tonnes).
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]
Received on Wed Apr 17 2002 - 03:23:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:35 MST