Service security
Ensure SNMP is not enabled unless absolutely necessary
Avoid using SNMPv1, which transmits data in the clear text and does not require authentication to execute commands. It is recommended to switch to SNMPv3, as it offers improved security features, including authentication and encryption, which protect sensitive information from unauthorized access.
To disable snmpd
, run:
# systemctl --now disable snmpd
To switch to SNMPv3, do the following:
-
In /etc/snmp/snmpd.conf, add the following lines:
com2sec snmpv3test localhost dummycontext com2sec snmpv3test pan51 dummycontext group snmpv3group usm snmpv3test access snmpv3group "" usm priv exact all all all rouser rousername
-
Create an SNMPv3 user:
# systemctl stop snmpd.service # net-snmp-create-v3-user # systemctl start snmpd.service
Ensure the default SNMP community is changed
If SNMP is required, configure it securely by restricting access to private network interfaces and changing default community strings.
To change the default community strings (which act like passwords):
-
Check the /etc/snmp/snmpd.conf file for configured communities (the
rwcommunity
androcommunity
options) and change them. For example:rocommunity somesecom
-
Restart the
snmpd
service:# systemctl restart snmpd.service
Ensure RPC is not enabled unless absolutely necessary
If the system does not require RPC-based services, it is recommended to disable rpcbind
to reduce the remote attack surface.
To disable rpcbind
, run:
# systemctl --now disable rpcbind
Ensure Telnet is not installed
Replace Telnet with SSH where possible for encrypted and secure remote communications. The SSH package provides an encrypted session and stronger security communication.
To uninstall Telnet, run:
# dnf remove telnet