Skip to main content

Securing an Open SNMP Server (Port 161)

The Simple Network Management Protocol (SNMP) is used to monitor network devices and servers. However, incorrect configuration can lead to serious security risks.

The Risks:
  • DDoS Amplification: Hackers send small requests to your server (UDP port 161), forcing it to send large responses to a victim.
  • Information Leakage: Default settings often allow anyone to read system details (kernel version, running processes, disk usage) without a password.

1. Checking for Vulnerability

To test if your server is exposed, run this command from a remote computer (replace 1.2.3.4 with your VPS IP):

# Check if port is open
sudo nmap -sU -p 161 1.2.3.4

# Check if default 'public' string works
snmpget -c public -v 2c 1.2.3.4 1.3.6.1.2.1.1.1.0

If you receive a response (like system info), your server is vulnerable.

2. The Quick Fix: Firewall

If you use SNMP for your own monitoring, you should restrict access to only your trusted monitoring server IP.

[Image of firewall allowing traffic]

Ubuntu / Debian (UFW)

# Allow only from your monitoring server
sudo ufw allow from <TRUSTED_IP> to any port 161 proto udp

# Deny everything else
sudo ufw deny 161/udp

CentOS / RHEL (FirewallD)

# Remove public access
sudo firewall-cmd --zone=public --remove-port=161/udp --permanent

# Add trusted source (Rich Rule)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP>" port protocol="udp" port="161" accept'

sudo firewall-cmd --reload

3. The Better Fix: Service Configuration (Linux)

It is safer to configure the service to listen only on localhost (if not needed externally) or change the default community string.

1. Open the configuration file (usually /etc/snmp/snmpd.conf).

2. Bind to Localhost: Find the line starting with agentAddress and change it to:

agentAddress  udp:127.0.0.1:161

3. Change Community String: Never use 'public' or 'private'. Find the line:

rocommunity public  default

Change public to a strong, random string (like a password).

4. Restart the service:

sudo systemctl restart snmpd

4. Windows Server Fix

On Windows, SNMP is often an optional feature. If enabled, secure it via the Services panel.

  1. Press Win+R, type services.msc and press Enter.
  2. Locate SNMP Service. (If not found, you are safe).
  3. Right-click > Properties > Security tab.
  4. Accepted Community Names: Remove 'public'. Add a secure name.
  5. Accept SNMP packets from these hosts: Select this option and add only your monitoring server's IP and 127.0.0.1.
Don't use SNMP?
If you don't use SNMP for monitoring, the best solution is to simply uninstall or disable the service completely.