Service security

Ensure SNMP is not enabled unless absolutely necessary

Avoid using SNMPv1, which transmits data in the clear text and does not require authentication to execute commands. It is recommended to switch to SNMPv3, as it offers improved security features, including authentication and encryption, which protect sensitive information from unauthorized access.

To disable snmpd, run:

# systemctl --now disable snmpd

To switch to SNMPv3, do the following:

1. In /etc/snmp/snmpd.conf, add the following lines:

   com2sec snmpv3test localhost    dummycontext
   com2sec snmpv3test pan51        dummycontext
   group snmpv3group       usm     snmpv3test
   access snmpv3group        ""      usm       priv    exact  all     all   all
   rouser rousername

2. Create an SNMPv3 user:

   # systemctl stop snmpd.service
   # net-snmp-create-v3-user
   # systemctl start snmpd.service

Ensure the default SNMP community is changed

If SNMP is required, configure it securely by restricting access to private network interfaces and changing default community strings.

To change the default community strings (which act like passwords):

1. Check the /etc/snmp/snmpd.conf file for configured communities (the rwcommunity and rocommunity options) and change them. For example:

   rocommunity somesecom

2. Restart the snmpd service:

   # systemctl restart snmpd.service

Ensure RPC is not enabled unless absolutely necessary

If the system does not require RPC-based services, it is recommended to disable rpcbind to reduce the remote attack surface.

To disable rpcbind, run:

# systemctl --now disable rpcbind

Ensure Telnet is not installed

Replace Telnet with SSH where possible for encrypted and secure remote communications. The SSH package provides an encrypted session and stronger security communication.

To uninstall Telnet, run:

# dnf remove telnet