snmp over internet "best practice"

Andreas Ericsson ae at op5.se
Mon Aug 27 14:29:53 CEST 2007


Aaron wrote:
> I joined the list recently and while doing some searching for answers 
> came across a "best practices" thread.  One of the things listed in the 
> thread was using snmp whenever possible with the statement that it 
> should only be used on the local networks.
> 
> I'm wondering if this is also the popular belief "best practice" even if 
> you're using snmp v3 and if so why.  I was about to deploy snmp v3 
> active checks to check things like cpu and disk loads and then i saw 
> this post.  I thought that was the whole point of v3 with SHA and AES 
> encryptions and authentication so that we could use it over the net.
> 

If security is your primary concern, you should use ssh with shared key
authentication as much as you possibly can, and make sure to use one key
per command you want to execute (read the SSH manpage carefully on how to
set this up). This can quickly become troublesome though, as the keys and
commands mount up (maintenance nightmare, but very secure).

For routers and switches, SNMPv3 is almost always the best way to go.

Personally, I prefer NRPE since it also allows event-handlers to be
added without having to install additional software. The code is also
small, and I've audited it myself so I know it's sound, provided it's
configured properly.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list