WikiOld

User Tools

Site Tools

Trace:
eduardo:linux:snmp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
eduardo:linux:snmp [2010/07/29 05:49] eduardoeduardo:linux:snmp [2024/02/23 08:20] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== SNMP ======
 +  - SNMP Version 1: The first version of SNMP to be implemented, version 1 was designed to be a protocol to provide device statistics and error reporting without consuming a lot of system resources. Security was limited to community strings and access controls based on the IP address of the querying server. Data communication wasn't encrypted.
 +  - SNMP Version 2: The second version of SNMP, often referred to as v2c, expanded the number of supported error codes, increased the size of counters used to track data, and had the ability to do bulk queries that more efficiently loaded response packets with data. SNMP v2c is backward compatible with version 1.
 +  - SNMP Version 3: This version provides greater security and remote configuration capabilities than its predecessors. Access isn't limited to a single community string for read-only and read/write access, as
 +usernames and passwords have been introduced. Views of OIDs in a MIB can also be limited on a per-user basis. Support for encrypted SNMP data transfer and transfer error detection is also provided.
  
 +===== SNMP Utils =====
 +  * If you intend to use your Linux box to query your network devices, other servers or even itself using MRTG or any other tool, you need to have the SNMP utility tools package net-snmp-utils installed.
 +  * Utilities
 +    * snmpget
 +    * snmpwalk
 +
 +==== Install (Ubuntu) ====
 +<code>
 +sudo apt-get install snmp
 +</code>
 +
 +==== Usage ====
 +  * snmpwalk
 +  * The example below gets all the value in the interface MIB of the local server using SNMP v1
 +<code>
 +snmpwalk -v 1 -c iptel 147.10.17.96
 +snmpwalk -v 1 -c craz33guy localhost interface
 +</code>
 +
 +  * snmptrap
 +<code>
 +snmptrap -v 2c -c iptel -d 10.80.100.38 1002 1.3.6.1.4.1.161.1.1.0
 +</code>
 +
 +===== SNMP Server =====
 +
 +==== Install ====
 +  * Install snmpd package
 +<code>
 +sudo apt-get install snmpd
 +</code>
 +
 +==== Configuration ====
 +
 +=== SNMP ===
 +  * Move existing /etc/snmp/snmpd.conf configuration file to /etc/snmp/snmpd.conf.org
 +<code>
 +mv /etc/snmp/snmpd.conf  /etc/snmp/snmpd.conf.org
 +</code>
 +
 +  * Create a new /etc/snmp/snmpd.conf file:
 +<code>
 +rocommunity  iptel
 +syslocation  "17/320 Pitt St, Sydney"
 +syscontact  eduardo.ferreira@team.telstra.com
 +</code>
 +
 +  * Edit /etc/default/snmpd
 +  * Configure the IP address that snmpd listens on
 +  * Enable snmptrapd which is disabled by default as of net-snmp version# 5.0
 +  * Leave the other setting as the default
 +<code>
 +# snmpd options (use syslog, close stdin/out/err).
 +# replace 204.x.y.z with your public IP
 +# SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'
 +SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1 204.x.y.z'
 + 
 +# snmptrapd control (yes means start daemon).  As of net-snmp version
 +# 5.0, master agentx support must be enabled in snmpd before snmptrapd
 +# can be run.  See snmpd.conf(5) for how to do this.
 +TRAPDRUN=yes
 +</code>
 +
 +  * Configure SNMP trap to go to syslog facilities 2
 +  * Edit /etc/default/snmptrapd.conf
 +<code>
 +# For Community String iptel
 +authCommunity log,execute,net iptel
 +
 +# Log to syslog with facility level 2
 +logOption s 2
 +</code>
 +
 +  * Restart SNMP
 +<code>
 +sudo /etc/init.d/snmpd restart
 +</code>
 +
 +=== SNMPv3 ===
 +  * Stop SNMP
 +<code>
 +sudo /etc/init.d/snmpd stop 
 +</code>
 +
 +  * Create SNMPv3 user
 +  * In this example the authentication password of "pocketmonster" for the read only (-ro) username "iptel" is encrypted using the MD5 algorithm. The data received will not be encrypted.
 +<code>
 +server:/$ sudo net-snmp-config --create-snmpv3-user -ro -a MD5 -A pocketmonster iptel
 +
 +adding the following line to /var/lib/snmp/snmpd.conf:
 +   createUser iptel MD5 "pocketmonster" DES
 +adding the following line to /usr/share/snmp/snmpd.conf:
 +   rouser iptel
 +
 +server:/$
 +</code>
 +
 +  * Create SNMPv3 user
 +  * To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username "iptel" and authentication password "pocketmonster" are used, but this time the data will be encrypted using the DES algorithm with the privacy password of "pocketmonster".
 +<code>
 +server:/$ sudo net-snmp-config --create-snmpv3-user -ro -a MD5 -A pocketmonster -x DES -X pocketmonster iptel
 +
 +adding the following line to /var/lib/snmp/snmpd.conf:
 +   createUser iptel MD5 "pocketmonster" DES pocketmonster
 +adding the following line to /usr/share/snmp/snmpd.conf:
 +   rouser iptel
 +
 +server:/$
 +</code>
 +
 +  * Restart SNMP
 +<code>
 +sudo /etc/init.d/snmpd stop 
 +</code>
 +
 +  * Your password and privilege information are stored in /var/lib/snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example.
 +<code>
 +createUser securev3user MD5 "mandeville" DES savlamar
 +createUser username4snmpv3 MD5 "rootsrockreggae" DES
 +</code>
 +
 +  * The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here.
 +<code>
 +usmUser 1 3 0x80001f88780711168720eb1e745
 +0x73656375626576337573657200
 +0x73656375726576337573657200
 +NULL .1.3.6.1.6.3.10.1.1.2 0xd951
 +ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2
 +0xf1f4bb00452211d27b50c273c09031ac 0x00
 +usmUser 1 3 0x80001f8880711168720eb1e745
 +0x757365726e61657534736e6d70763300
 +0x757365726e616d6534736e6d70763300
 +NULL .1.3.6.1.6.3.10.
 +1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd
 +.1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""
 +setserialno 1464593474
 +</code>
 +
 +  * To test non-encrypted SNMPv3 data
 +  * We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option).
 +<code>
 +[root@server ~]# snmpget -v 3 -u iptel -l authNoPriv -a MD5 -A pocketmonster 147.10.33.67 SNMPv2-MIB::sysORDescr.8
 +SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
 +[root@server ~]#
 +</code>
 +
 +  * To test encrypted SNMPv3 data
 +<code>
 +[root@server ~]# snmpget -v 3 -u iptel -l authPriv -a MD5 -A pocketmonster -x DES -X pocketmonster 147.10.33.67 SNMPv2-MIB::sysORDescr.8
 +SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
 +[root@server ~]#
 +</code>