# Tip: Configuring snmpd listen ports and addresses

## Ox-

By default on a fresh emerge, snmpd (from the net-snmp-5.1.1-r1 ebuild) will listen on *:199 (smux) and *:161 (snmp).  I don't like this because, even though I can protect the ports from the internet with iptables, I still like stuff behind the firewall to be as secure as possible.

There are two ways to control the snmp port addresses.  One way is with a command line option in /etc/conf.d/snmpd:

```
SNMPD_FLAGS="127.0.0.1:161"
```

and the second way is in /etc/snmp/snmpd.conf:

```
agentaddress 127.0.0.1:161
```

The smux port is 199, and this probably shouldn't even be installed by the ebuild, but it is, so we need to either restrict is or even completely disable it.  It's safe to completely disable if you don't know what smux is.  Typical net-analyzer programs like nagios and mrtg will only use the snmp port.  Gated is one of the few applications that use smux, and if you're running that you probably already know what smux is  :Smile: 

So, in /etc/snmp/snmpd.conf put:

```
#If we must have smux, bind to private address

#smuxsocket 127.0.0.1:199

# Otherwise, specify a bad address.  Will generate an

# error in net-snmpd.log, which can be ignored.  This

# will cause smnpd to not open smux socket.

smuxsocket 1.1.1.1
```

There are some hints on the net to use the following options on the snmpd command line to get rid of smux:

```
SNMPD_FLAGS="-I -smux"
```

but this just eliminates the smux mib module.  The smux port is still opened and now smuxsocket won't disable it in the snmpd.conf file because the module isn't loaded.

----------

## zeek

Isn't the whole idea of SNMP to remotely query and control machines?  What is the purpose of querying the local machine -- all the data is already available through other means.

Isn't it possible to limit snmp clients to a specific protocol version and to run in read only mode?

----------

## Ox-

If you just have one machine then yes, there are obviously more common ways to get statistics, but even then you might need snmp if you want to run an analyzer that prefers an SNMP interface.

Yes, you can set SNMP up to be read-only, but I don't want the public internet to even read.  Yes, I can protect the ports with a firewall, and using more recent SNMP protocols with authentication, but I want to restrict the ports in addition to firewall and authentication.  It just makes me feel safer  :Smile: 

Also, in my case, I have a lan on a second interface on a group of servers, so I want SNMP to listen only on eth1 lan interface.  I can collect data from all the machines in the lan from a central admin computer running something like cacti, and don't have to worry about security of open SNMP ports on the eth0 public internet interface.

Finally, I've seen questions on other forums, and one here on the gentoo german forum, about what the smux port is and how to turn it off.  So figured this tip would be useful for anyone doing a search in the future.

----------

## guid0

thanks for the to the point post.

----------

