我编写了一个基于agentx协议扩展netsnmp的自定义SNMPV2C代理,目前我在snmpd.conf中允许所有人查看如下
view all included .1
它公开了mgmt(RFC1213),看起来很好,它还公开了snmpV2 mib的(snmpMIB、snmpFrameworkMIB、VacmMIB等)。
我没有找到任何最佳实践文档来详细说明除了打开我们的企业oid树之外,应该公开什么,有哪些安全风险等。
请非常小心整个ISO (.1
)树的全局访问权限(即使是只读),特别是如果您使用SNMPv3 USM 进行身份验证和VACM进行授权。
USM用户数据库在MIB本身中暴露出来(usmUserTable
),因此:
snmpusm(1)
来完成。)同样,VACM MIB包含访问策略信息,例如:
vacmContextTable
);vacmSecurityToGroupTable
);vacmAccessTable
和vacmViewTreeFamilyTable
)。我认为Net-SNMP不允许对这些VACM表进行读写访问(策略来自/etc/snmp/snmpd.conf
,并且不会被代理修改),但即使是只读访问也可能透露太多信息。例如,它可能会让攻击者找出哪个USM用户可以访问攻击者感兴趣的视图,并对该特定USM用户进行密码破解攻击。
SNMPv3 USM和VACM RFC本身明确警告您这些表有多么敏感:
11.5 Access to the SNMP-USER-BASED-SM-MIB
The objects in this MIB may be considered sensitive in many
environments. Specifically the objects in the usmUserTable contain
information about users and their authentication and privacy
protocols. It is important to closely control (both read and write)
access to these MIB objects by using appropriately configured Access
Control models (for example the View-based Access Control Model as
specified in [RFC3415]).
而且:
7.4. Access to the SNMP-VIEW-BASED-ACM-MIB
The objects in this MIB control the access to all MIB data that is
accessible via the SNMP engine and they may be considered sensitive
in many environments. It is important to closely control (both read
and write) access to these to these MIB objects by using
appropriately configured Access Control models (for example the
View-based Access Control Model as specified in this document).
view most included .1
view most excluded .1.3.6.1.6.3.15
view most excluded .1.3.6.1.6.3.16
除了之前回答中给出的一般建议外,我建议使用snmpwalk -v2c -c community localhost .1 | your_pager
来浏览您可以看到的所有信息。
然后决定哪些信息可能不想被看到。
例如,在Linux上,您通常可以看到所有进程及其参数以及磁盘设备和已挂载的文件系统。