There are few components as integral to security in Simple Network Management Protocol as SNMP community strings. Having the correct community string determines whether you can access information contained within devices throughout your managed network. In this article, we’re going to look at how you can find and create community strings on Windows and Linux. However, before we look at how to find and create community strings, let’s look at what community strings are.
What are SNMP Community Strings?
A community string or SNMP community string is a user ID or password that is sent along with a Get-Request. An SNMP community string is used to allow access to statistics within a managed device or router. A device can access data within other connected devices with the correct community string. If the community string is incorrect then the device ignores the Get-Request.
The default community string of a device depends on the vendor who created the device. That being said it isn’t unheard of for vendors to choose ‘public’ as their password of choice. If you’re using one of these devices then you’d want to change the community string ASAP to keep your network protected from unauthorized access. This is important because the information enclosed within your devices can tell an attacker lots about your network and potential entry points.
It is important to note that there are some different types of SNMP community strings. These are as follows:
- Read-only community string
- Read-write community string
- SNMP Trap community string
The read-only community string allows a device to pull read-only information from a device. In contrast, a read-write community string can be used to pull information and change the configuration of a device. Finally, the SNMP trap community string is included when a device sends an SNMP trap. Community strings also differ based on which version of SNMP is being used.
SNMP Versions and Community String Differences
There are three main versions of SNMP in use, and each of these has a slightly different slant on community strings. This is shown below:
- SNMPv1 – This was the first version of SNMP and used community strings for access restrictions. This version used read-only and read-write community strings. However, data was transmitted unencrypted and was thus vulnerable to external attackers.
- SNMPv2c – This version of SNMP also sends data unencrypted but has additional data types like 64-bit counters that aren’t present in the original.
- SNMPv3 – This is the secure version of SNMP which allows the user to encrypt data transmissions so that they can’t be accessed by prying eyes.
The important thing to note about the first two versions of SNMP listed above is that community strings aren’t encrypted and are vulnerable to being read. They are transmitted in clear text without any protection from prying eyes. By default, SNMPv1 and SNMPv2 equipment hits the market with the read-only community string set to ‘public’.
SNMPv2c has two types of community strings; read-only and read-write. Read-only community strings allow the user to access MIB objects on a read-only basis. MIB objects is the term given to data within the Management Information Base (MIB). This is the data that is exchanged between an SNMP manager and an SNMP agent.
Read-write community strings allow the user to access and interact with MIB objects. This means that the user can log into the SNMP manager and edit the configurations of the SNMP-enabled device. You need to take extra care with these community strings because they can allow anyone to interfere with your system remotely.
Where possible we advise you to use SNMPv3 for the most protection. SNMPv3 is the safest because all transmissions are encrypted, meaning that they can’t be read. However, even if you’re using SNMPv3 you want to make sure that you create a strong community string that can’t be deciphered easily.
See also: MIBs & OIDs Explained
Our methodology for selecting SNMP management tools
We reviewed the market for SNMP viewers and testers and analyzed the options based on the following criteria:
- The ability to decode the standard SNMP message format
- Identification of community strings
- An interface that allows community strings to be added or changed
- A system that can update device agents with access credentials requirements
- A tool that can interconnect with wider SNMP management systems
- A free tool or a paid system with a free trial for a risk-free assessment period
- Free utilities or paid systems that are worth the money
How to Find SNMP Community Strings on Windows
The first thing you need to do when trying to use SNMP community strings on Windows is to make sure that SNMP has been installed. In the example below, we’re going to run through how you can install SNMP on Windows 7, Windows 2008 Server, and Windows 2012 R2 Server.
There are several ways to do this but one of the simplest ways is to use a tool called Free Windows SNMP Enabler from ManageEngine.
To install SNMP and find Community String on Windows follow these steps below:
- Download the Free Windows SNMP Enabler from the ManageEngine website. You don’t need to fill in the contact form in the screen, just click on the red Download button.
- Right click on the downloaded file and select Run as administrator. Click on Yes in the User Access Control screen to allow Windows to run the installer.
- Click through the screens in the installer. Click on Finish in the final screen. The tool will open.
- Enter a server name in the Host field at the top of the screen and press the Add button.
- Check the box in front of the server entry you created in the top panel of the screen.
- Click on the Start button. A pop-up will appear.
Enter the Domain Name, User Name and Password for an account on your server. Press the Connect button.
Configuring SNMPv2c
Even though SNMPv3 is a more secure method, SNMPv2c is still more widely-used by technology vendors. As a result, it is handy to know how to configure a community string on an SNMPv2c-enabled device. To do this there are several things you need to do:
- The first step is to configure the community string by entering the following (“comp” is the name of the community string and “ro” stands for read-only, the securer of the two read permissions):
- Router(config)#snmp-server community comp ro
- Enter the IP address of the host receiver or SNMP manager:
- Router(config)#snmp-server host 10.10.10.12 version 2c TRAPCOMM
- Enable SNMP traps by entering the following:
- Router(config)#snmp-server enable traps
How to Find an SNMP Community String on Linux
As a basic rule, if you want to make use of SNMP community strings then you need to have an SNMP client that has been installed and configured. You can install SNMP on Linux via the following command (we’re using CentOS in the example below): yum -y install net-snmp-snmp-utils
The configuration file within SNMP will not only determine which type of traffic will be monitored but will also define the community string. On Linux you can find the configuration file under the following name: snmpd.conf
This configuration file is generally located in a subdirectory called /etc/snmp.
How to Find Community Strings
Now that we know what community strings are, it’s time to look at how to find them. There are many different ways to find community strings, depending on the hardware you’re using. In this example, we’re going to be referring to how to find SNMP community strings on a Cisco Router or Cisco IOS-based catalyst switch.
Enabling on CISCO router
To enable an SNMP community string on a Cisco router you need to do the following:
- Telnet the following command to the router:
- prompt#telnet 172.16.99.20
- Enter the enable password to launch enable mode:
- Router>enable
- Password:
- Router#
- Show the running configuration and look for the SNMP data. If you don’t find any SNMP data then move on to the next step. However, if you find an SNMP command you’ll want to modify or disable it:
- Router#show running-config
- Building configuration…
- ….
- ….
- Enter configuration mode:
- Router#configure terminal
- Enter configuration commands, one per line. End
- with CNTL/Z
- Router (config) #
- Enter the following command to enable the read-only community string:
- Router (config) #snmp-server community public RO
- To enable the read-write community string, enter the following:
- Router(config)#snmp-server community private RW
- Exit configuration mode back to the main prompt:
- Router (config) #exit)
- Router#
- To save the settings to RAM enter the following:
- Router#write memory
- Building configuration…
- [OK]
- Router#
How to Configure Community Strings on Windows
The process for configuring a community string on Windows depends on the version of Windows that you’re using. In this section, we’re going to look at how to configure an SNMP agent and community string on Windows 2012, Windows 2008 R2, and Windows 2003.
Configuring on Windows 2012
- The first thing you need to do is to log into your dedicated server with Remote Desktop.
- Next click on Windows Key>Administrative Tools>Server Manager.
- Now click the Manage button, then Add Roles and Features.
- Click Next four times. Check that SNMP service has been installed in the Features view. Now click Cancel.
- At this point you need to click on Windows Key>Administrative Tools, followed by Services.
- Right-click on SNMP service and click Properties.
- Go to the Security tab and enter your connection string. This needs to be between 8-10 characters.
- Make sure that your connection string is set to Read-Only in the SNMP Service Configuration box.
- Click on Add to finish.
Configuring on Windows 2008 R2
- First, log into your dedicated server with Remote Desktop.
- Once you’ve logged in, click Start>Administrative Tools>Server Manager.
- Now click Features>Add Features. Make sure that SNMP services are installed!
- Next click on Configuration>Services.
- Right-click on SNMP service followed by Properties
- Go to the Security tab and enter your connection string.
- Make sure that the Community rights box is set to Read-Only in the SNMP Service Configuration box.
- Click Add.
Configuring on Windows 2003
- Log into your dedicated server with Remote Desktop.
- Click Start>Control Panel>Administrative Tools>Computer Management.
- Click on Services>Applications>Services.
- Double-click on the SNMP Service option.
- Go to the Security tab and enter your connection string.
- Check that your connection string is set to read-only.
- Press Add.
How to Configure Community Strings on Linux
On RedHat/CentOS
- Firstly, install the RPM by entering the following command:
- yum install net-snmp
- At this stage you can install snmpwalk to aid your troubleshooting with the following:
- yum install net-snmp-utils
- Next move the default configuration file and establish it as a backup:
- mv /etc/snmp/snmpd.conf /etc/snmp/snmpd/conf.original
- Enter a new SNMP community within a new config file:
- echo “rocommunity notpublic”>/etc/snmp/snmpd.conf
On Debian/Ubuntu
- Install the snmpd package by entering the following:
- apt-get install snmpd
- Next, back up the snmp.conf file by entering the following:
- mv /etc/snmp/snmpd/conf /etc/snmp/snmpd.conf.org
- Create your new snmpd.conf file by entering the following (replace Comparitech with the community string you want to use):
- echo “rocommunity comparitech”>/etc/snmp/snmpd.conf
- Edit your snmpd file:
- nano /etc/default/snmpd
- Find and comment out the following:
- SNMPSDOPTS=‘ -Lsd -Lf /dev/null -u snmp -p /var/run/snmpd.pid’
- Now add the following line:
- SNMPDOPTS=‘ -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd/pid -c /etc/snmp/snmpd/conf’
- Close and save the file.
- Restart snmpd by entering the following:
- /etc/init.d/snmpd restart
- sysv-rc-conf snmpd on
Community String Best Practices
One of the most commonly-overlooked aspects of configuring a community string is picking a community string that is completely secure. Community strings act like passwords and just like passwords they need to be written in a way that isn’t easy to guess. When you’re configuring SNMP strings in your network you want to make sure they are as hard to guess as possible.
There are many ways you can do this:
- Create community strings of 20 characters or more.
- Include a mix of uppercase characters, lowercase characters, digits, and symbols.
- Don’t use dictionary words.
- Don’t refer to any personal information.
- Make sure that public and private community strings are different!
- Apply different community strings to different network devices!
Employing the best practices above is very important because unlike a password, SNMP won’t lock out a user if they guess wrong too many times. Hackers will have an indefinite amount of attempts to guess your community string so you need to make sure the characters are as difficult to guess as possible.
How to Confirm a Community String
Once SNMP is in operation, you will be able to check through the logs of your network manager to see which devices it can get status reports from. If an expected network device is missing from the list, you should be aware that one possible reason for that absence could be that the community string wasn’t set properly and the device refused the Get-Request.
To avoid having to wade through lists of device agent responses, you could use a simple test facility after each community string setting exercise to check that the device is actually using the enabled password that you thought was set.
The Paessler Free SNMP Testing Tool is a good utility to use for checking on the community string on your network devices. This program runs on Windows and can be downloaded for free.
The SNMP Tester won’t tell you the community string for a network device – you have to enter the password as a parameter before running the test. However, a quick run of the tester will let you know immediately whether the community string you thought you had set on a device is actually current.
The tool’s creator, Paessler is best known for its PRTG product. This is an extensive IT infrastructure monitoring system that includes network performance monitoring that is driven by SNMP.
Closing Words: SNMP Community Strings
If you want additional peace of mind then you can hire a professional to conduct a penetration test. A penetration test is where someone attempts to breach your network and exploit existing vulnerabilities. A successful penetration test will make sure that you don’t have any gaps in your network security that hackers can target. So long as you’ve implemented the steps above you should be completely fine, but it is always worth verifying that your network is protected from unauthorized users.
Pros:
- Great tool for prepping devices for a SIEM implementation or other agent-based monitoring
- Super lightweight, doesn’t take up much space or system resources
- Works well in tandem with other PRTG sensors
Cons:
- PRTG is designed for network administrators and requires networking knowledge to fully utilize
That concludes our guide to finding and creating community strings in Windows and Linux. As you can see, the process is relatively simple on both operating systems. Regardless of what platform you’re on, make sure that SNMP is enabled before you go dabbling about with any configurations.
Likewise, whenever you enter a community string always make sure that you make the string as difficult to guess as possible. If you have a community string that is easy to guess, then you’re leaving your internal network open to attacks and downtime. Following the best practices listed above will help to make sure that this isn’t an issue.
For the utmost in data security, you want to make sure that you’re using SNMPv3. This way you will be able to benefit from encryption and keep your community strings protected. Likewise, you want to keep a close lock on read-write community strings because these represent the biggest threat to your security.
If an unauthorized user gets access to a read-write community string then they will not only be able to read your device data but will also be able to change your configurations as well! Carefully managing your usage of SNMP and community strings will make sure that you can use community strings without leaving your network vulnerable to an attacker.