The focus of this short article is to document the steps in locking down the Lucent SNMP Module from its default security settings. It is important to note, Lucent says that you should not remove the public community string from the snmpd.cnf file. Doing so, will break the integration of the Lucent DNS/DHCP server subagents and the SNMP Emanate Master agent. It appears that the sub-agents have been hard-coded somehow with the 'public' readonly community string.
The Lucent SNMP configuration files are located in the $QIPHOME/snmp/conf directory. For the purposes of this short article, we'll only delve into the snmpd.cnf file in that directory.
Change the current snmpCommunityEntry for 'public' to read:
snmpCommunityEntry t0000000 public public localSnmpID - LocalHost nonVolatile
Add a new entry to the snmpCommunityEntry table that reads:
snmpCommunityEntry t0000001 d1ffstr1ng d1ffstr1ng localSnmpID - NMSServer \nonVolatile
Where the index is unique (t0000001) and the community string is different and more complex.
Add two (2) additional entries to the vacmAccessEntry table:
vacmAccessEntry group1 - snmpv1 noAuthNoPriv exact All All All nonVolatile vacmAccessEntry group1 - snmpv2c noAuthNoPriv exact All All All nonVolatile
Add two (2) additional entries to the vacmSecurityToGroupEntry table:
vacmSecurityToGroupEntry snmpv1 d1ffstr1ng group1 nonVolatile vacmSecurityToGroupEntry snmpv2c d1ffstr1ng group1 nonVolatile
And, finally, the part of the configuration that effectively locks down the communities is the configuration of the entries in the snmpTargetAddrEntry table. The following entries lock 'public' to the LocalHost or 127.0.0.1 IP address. This allows the Lucent sub-agents to continue working. While the other entry locks 'd1ffstr1ng' community string down to the 126.96.36.199 unicast address of the NMSServer:
snmpTargetAddrEntry 31 snmpUDPDomain 188.8.131.52:0 100 3 NMSServer \ v1ExampleParams nonVolatile 255.255.255.255:0 2048 snmpTargetAddrEntry 32 snmpUDPDomain 127.0.0.1:0 100 3 LocalHost \ v1ExampleParams nonVolatile 255.255.255.255:0 2048