#1132997 snmpd: Adding a helpful warning to the SNMPD configuration

Package:
snmpd
Source:
snmpd
Description:
SNMP (Simple Network Management Protocol) agents
Submitter:
Marc Singer
Date:
2026-05-27 10:13:01 UTC
Severity:
normal
Tags:
#1132997#5
Date:
2026-04-08 17:22:49 UTC
From:
To:
In the snmpd configuration file, by default we have this:

# agentaddress: The IP address and port number that the agent will listen on.
#   By default the agent listens to any and all traffic from any
#   interface on the default SNMP port (161).  This allows you to
#   specify which address, interface, transport type and port(s) that you
#   want the agent to listen on.  Multiple definitions of this token
#   are concatenated together (using ':'s).
#   arguments: [transport:]port[@interface/address],...

agentaddress  127.0.0.1,[::1]

# ...

# Read-only access to everyone to the systemonly view
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly

What this means is that if someone makes the server publicly available
for the sake of monitoring, the server may become available as a DDOS
attack lever as well.

What I am recommending is that we add a stern warning in the default
configuration that changing the listening address and leaving these
public access entries intact may result in creating a hazard on the
Internet if there are no other precautions taken.  Of course, someone
experienced with SNMP would know this implicitly, but this is an easy
detail to miss given that the community 'public' is a discrete feature
of the daemon.

Or, to put it another way, adding access control requiring either a
community string (other than public) or v3 authentication would not
eliminate the open access available via the public community.

#1132997#8
Date:
2026-05-27 10:10:42 UTC
From:
To:
Hello,

Bug #1132997 in net-snmp reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/net-snmp/-/commit/fb3c826250bb23422c30f1850b1fb0747a27560e
------------------------------------------------------------------------
snmpd.conf: Only allow localhost by default

While the listen address only had localhost the community
allowed access from everywhere. Update the community to
only be valid for localhost Closes: #1132997

Also added changelog for Use systemd-sysusers for user creation !17
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1132997