5.1 Ensure Common SNMP Community Strings are NOT used


Do not use common / default community strings.


SNMP can be used to read, and sometime write, sensitive information about your router and network environment.

When using SNMP Versions 1 and 2C (SNMPv2c) a community string is used to identify and, to a limited degree, authenticate Management Stations. If an attacker knows or guesses the community string that is used they may be able gain access to the SNMP interface as if they were a valid administrator.

To reduce the risk of an attacker guessing your community strings you should not use the following well known, common strings which are used as defaults on many brands of router:






Any community used should be complex and should not match any of the passwords used elsewhere on the device or in your organization.

NOTE: SNMP does not appear to be configured on the target. This check is not applicable.


If you have deployed SNMPv1 or SNMPv2c on your router using one of these strings, rename the community using the following command under the [edit snmp] hierarchy;

[edit snmp]
user@host#rename community <old community> to community <new community>

Default Value:

No SNMP communities are set by default on most platforms.

See Also


Item Details


References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: a4af1207719e4def7a37a8d3d9d27fe8bf21527d230aceb2317120ede6a64540