Mike, Thanks a ton for your help! However, snmpd.conf does allow as part of com2sec specification ip address of hosts(subnets) from which to allow accesses in addition to the groupname. I was wondering, if net-snmp already inplements this, if the other option of not allowing access from certain hosts is already there - undocumented!
The requirement that I am up against is to be able to get the Access control information from a Cisco-like ACL specification (which includes deny from certain hosts/subnets) and be able to put in that access control in net-snmp! Looks like thats not there, and will need to bug this forum with my questions and issues - as I try to understand and put that in! Thanks a ton for all your help.. -Arijit ----- Original Message ---- From: Mike Ayers <[EMAIL PROTECTED]> To: arijit <[EMAIL PROTECTED]>; net-snmp net-snmp <[email protected]> Sent: Saturday, January 5, 2008 12:24:05 AM Subject: RE: How to deny access from only some hosts usinf vacm > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of arijit > Sent: Friday, January 04, 2008 4:09 AM > If I were to prevent access from only a few specific hosts > (or subnets) to the agent, is there any way to do it using > VACM? If not, what would be a preferred way of implementing the same? Host based access is not supported by VACM, which is a good thing, because hosts are so spoofable. Suggested improvements: - For general read only access, create a user with a well known password. Block this user from reading VACM and USM, as well as any other MIBs or objects which may contain sensitive information. - For read/write access, create users for each person that will be granted access. From a security standpoint it does not matter which host they are working from, but who they are. - If you are addressing traffic flow issues, use traffic flow tools. Your firewall can prevent or restrict all contact with the SNMP port(s) based on source host. HTH, Mike ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Net-snmp-users mailing list [email protected] Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Net-snmp-users mailing list [email protected] Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
