Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.
Open SNMP Servers can be used to collect privileged information from the system or even to write new 'settings' to the system if not correctly configured.
In addition running an open (UDP) service is not bad on its own and it is mostly a required dependancy when installing a system. Unfortunately, hackers have also found this feature useful in performing a special type of DDoS attack called a 'Amplification Attack'.
The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.
That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.
But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet "from" a forged source IP address and have the server (or servers) send large replies to the victim.
Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.
Edit the SNMP configuration file, which is useally located at: /etc/snmp/snmpd.conf
Change/Modify line(s) as follows:
Find the following Line:
com2sec notConfigUser default publicReplace with (make sure you replace 192.168.0.0/24 with your network/subnet) the following lines:
com2sec local localhost public com2sec mynetwork 192.168.0.0/24 public
Scroll down a bit and change :
Find Lines:
group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser
Replace with:
group MyRWGroup v1 local group MyRWGroup v2c local group MyRWGroup usm local group MyROGroup v1 mynetwork group MyROGroup v2c mynetwork group MyROGroup usm mynetwork
Again scroll down a bit and locate the following line:
Find line:
view systemview included system
Replace with:
view all included .1 80
Again scroll down a bit and change the following line:
Find line:
access notConfigGroup "" any noauth exact systemview none none
Replace with:
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
Scroll down a bit and change the following lines:
Find lines:
syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact RootReplace with (make sure you supply appropriate values), for example:(configure /etc/snmp/snmp.local.conf)
syslocation Linux (RH3_UP2), Home Linux Router.
syscontact YourNameHere <you@example.com>
restart your snmp server and test it