THIS KNOWLEDGE BASE HAS BEEN ARCHIVED AND IS NO LONGER BEING UPDATED
Please visit library.nagios.com/docs for the latest and most up-to-date documentation.
All Categories
Home » Categories » Multiple Categories

Nagios XI - SNMP Trap Hardening
Article Number: 826 | Rating: 2/5 from 2 votes | Last Updated by swilkerson on Wed, Oct 4, 2023 at 11:46 AM

Nagios XI - SNMP Trap Hardening

This KB article explains how to harden your Nagios XI server to only accept SNMP traps from authorized sources. By default the Nagios XI server will accept inbound SNMP v2 traps from any device.

SNMP v3 traps will not be accepted by Nagios XI unless the server is specifically configured for SNMP v3 traps. SNMP v3 traps are a more complicated topic and are covered in the SNMP Trap v3 Configuration KB article.

 

Editing Files

In the steps of this article you will be required to edit files. This documentation will use the vi text editor. When using the vi
editor:

  • To make changes press i on the keyboard first to enter insert mode
  • Press Esc to exit insert mode
  • When you have finished, save the changes in vi by typing :wq and press Enter

 

 

Send Test Trap

When working through this documentation you may want to test the changes by sending a test trap. The following KB article provides examples on how to send a test trap, which can be very helpful:

SNMP Trap - How To Send A Test Trap

When a test trap is received on the Nagios XI server it should be logged in the /var/log/snmptt/snmpttunknown.log file.

 

 

Default Configuration

The default SNMP Trap configuration is stored in the /etc/snmp/snmptrapd.conf file and contains just two lines:

disableAuthorization yes
traphandle default /usr/sbin/snmptthandler

 

It is the disableAuthorization directive that allows SNMP traps from any device to be sent to Nagios XI.

The first step is to comment out the disableAuthorization directive by adding a # to the beginning of the line:

#disableAuthorization yes
traphandle default /usr/sbin/snmptthandler

 

The remaining steps in this KB article demonstrate different authorization methods that can be used. You will see in the examples that multiple authorization methods can be defined in the config file.

 

 

Restrict To SNMP v2 Community

A simple hardening method is to accept traps from any devices that supply a specific community string.

This example shows how to allow traps for the Sup3rStr0ng community string:

#disableAuthorization yes
authCommunity execute Sup3rStr0ng
traphandle default /usr/sbin/snmptthandler

After making the change you will need to restart the snmptrapd service for the settings to become effective and then you could send a test trap to confirm the settings are correct.

 

 

Restrict To SNMP v2 Community AND Network Address

A more advanced hardening method is to accept traps from specific devices that supply a specific community string.

This example shows how to allow traps for the M3g@Str0ng community string which come from the 10.25.5.15 network address:

#disableAuthorization yes
authCommunity execute Sup3rStr0ng
authCommunity execute M3g@Str0ng 10.25.5.15
traphandle default /usr/sbin/snmptthandler

After making the change you will need to restart the snmptrapd service for the settings to become effective and then you could send a test trap to confirm the settings are correct.

 

 

Restrict To SNMP v2 Community AND Network Subnet

Another hardening method is to accept traps from devices in a network subnet that supply a specific community string.

This example shows how to allow traps for the Ultr@Str0ng community string which come from the 10.25.0.0/16 network subnet:

#disableAuthorization yes
authCommunity execute Sup3rStr0ng
authCommunity execute M3g@Str0ng 10.25.5.15
authCommunity execute Ultr@Str0ng 10.25.0.0/16
traphandle default /usr/sbin/snmptthandler

After making the change you will need to restart the snmptrapd service for the settings to become effective and then you could send a test trap to confirm the settings are correct.

 

 

Restart SNMPTRAPD Service

Whenever you make a change to the /etc/snmp/snmptrapd.conf file you are required to restart the snmptrapd service with the following command:

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl restart snmptrapd.service

 

 

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/

 

Special Offer For Knowledgebase Visitors! Get a huge discount on Nagios Log Server by clicking below.

Get 60% Off Nagios Log Server!

Did you know? Nagios provides complete monitoring of: Windows, Linux, UNIX, Servers, Websites, SNMP, DHCP, DNS, Email, Storage, Files, Apache, IIS, EC2, and more!
Posted by: on Tue, Nov 6, 2018 at 6:28 PM. This article has been viewed 14398 times.
Filed Under: Advanced Topics, SNMP Traps, System Configuration
2 (2)
Article Rating (2 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Nagios XI - How To Achieve High Availability
Viewed 13060 times since Wed, Jan 27, 2016
Nagios XI - License Maintenance Status Check
Viewed 13162 times since Thu, Feb 25, 2016
Nagios XI - Upgrading To PHP 7
Viewed 21049 times since Tue, Oct 22, 2019
Nagios XI - Resizing the VM Disk Size
Viewed 14442 times since Thu, Jan 28, 2016
Nagios XI - Advanced Features of Nagios XI - NWC14
Viewed 5645 times since Thu, Feb 4, 2016
Nagios XI - MySQL/MariaDB - Max Connections
Viewed 77081 times since Thu, Jun 2, 2016
Nagios XI - Changing The System Time
Viewed 10130 times since Mon, Jan 25, 2016
Nagios XI - Using The Config Import Prep Tool
Viewed 13303 times since Thu, Jan 28, 2016
Nagios XI - Audit Log
Viewed 9320 times since Tue, Jul 18, 2017
Nagios XI - Using rrdcached with Nagios XI
Viewed 7353 times since Thu, Jan 28, 2016
Subscribe to knowledge base
Get notified when new articles are added to the knowledge base.
Nagios