Template:FAQ:Agent 21
Firstly, are you concerned with read access or write access?
As far as changing things on the agent is concerned, there is relatively little that can actually be altered (see the entry Why can't I set any variables in the MIB?).
If you are using the example config file, this is set up to allow
read access from your local network, and write access only from the
system itself (accessed as 'localhost'
), both using the community name
specified. You will need to set appropriate values for both NETWORK
and COMMUNITY in this file before using it.
This mechanism can also be used to control access much more precisely.
(see the next few questions for details)
Other options include:
- Blocking access to port 161 from outside your organisation (using filters on network routers)
- Using kernel-level network filtering on the system itself (such as IPTables)
- Configuring TCP wrapper support (
"--with-libwrap"
)
This uses the TCP 'libwrap' library available separately) to allow/deny access via/etc/hosts.{allow,deny}
For strict security you should use only SNMPv3, which is the secure form of the protocol. However, note that the agent access control mechanisms does not restrict SNMPv3 traffic by location - an SNMPv3 request will be accepted or rejected based purely on the user authentication, irrespective of where it originated. Source-based restrictions on SNMPv3 requests would need to use one of the "external" mechanisms listed above.