In the snmpd configuration file, by default we have this:
# agentaddress: The IP address and port number that the agent will listen on.
# By default the agent listens to any and all traffic from any
# interface on the default SNMP port (161). This allows you to
# specify which address, interface, transport type and port(s) that you
# want the agent to listen on. Multiple definitions of this token
# are concatenated together (using ':'s).
# arguments: [transport:]port[@interface/address],...
agentaddress 127.0.0.1,[::1]
# ...
# Read-only access to everyone to the systemonly view
rocommunity public default -V systemonly
rocommunity6 public default -V systemonly
What this means is that if someone makes the server publicly available
for the sake of monitoring, the server may become available as a DDOS
attack lever as well.
What I am recommending is that we add a stern warning in the default
configuration that changing the listening address and leaving these
public access entries intact may result in creating a hazard on the
Internet if there are no other precautions taken. Of course, someone
experienced with SNMP would know this implicitly, but this is an easy
detail to miss given that the community 'public' is a discrete feature
of the daemon.
Or, to put it another way, adding access control requiring either a
community string (other than public) or v3 authentication would not
eliminate the open access available via the public community.