The net-snmp package provides the snmpd service.
The net-snmp
package can be removed with the following command:
$ sudo dnf remove net-snmp
If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.
The snmpd
service can be disabled with the following command:
$ sudo systemctl mask --now snmpd.service
Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.
Edit /etc/snmp/snmpd.conf, remove any rwuser entries. Once the read write users have been removed, restart the SNMP service:
$ sudo systemctl restart snmpd
Certain SNMP settings can permit users to execute system behaviors from user writes to the community strings. This may permit a compromised account to execute commands on a remote system.
Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. This profile configures new read-only community string to $var_snmpd_ro_string and read-write community string to $var_snmpd_rw_string. Once the default community strings have been changed, restart the SNMP service:
$ sudo systemctl restart snmpd
Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s).
Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service:
$ sudo systemctl restart snmpd
Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.