SNMP

From MediaWiki
Jump to: navigation, search

Contents

Overview

SNMP is fairlly compicated to setup. But for most practical uses, the below setup would suffice which allows for the following:

  • Create 2 communities - public and private
  • "public" allows for a limited view of the MIB tree. Only systemview in this case.
  • "private" allows for a full view of all the MIBs.
  • The private view is allowed only from localhost or from the management host which is a.b.c.d

Tested on Fedora Core 4. The same config would work on FreeBSD. 

[shanu@faith ~]$ rpm -qa|grep snmp
net-snmp-utils-5.2.1.2-fc4.1
net-snmp-libs-5.2.1.2-fc4.1
net-snmp-5.2.1.2-fc4.1

Tested on Ubuntu 

shanu@3r6s4:~$ dpkg -l snmpd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                               Version                            Description
+++-==================================-==================================-====================================================================================
ii  snmpd                              5.4.2.1~dfsg0ubuntu1-0ubuntu2.1    SNMP (Simple Network Management Protocol) agents


  • NOTE: On FreeBSD, you can avoid the complicated net-snmp by using bsnmpd(1) which is shipped with the base OS. See SNMP Using bsnmpd(1) Section

Configuration

  • /etc/snmp/snmpd.conf (diff from the stock snmpd.conf shipped in the pkg) 
$ sudo diff -du tmp/etc/snmp/snmpd.conf /etc/snmp/snmpd.conf 
--- tmp/etc/snmp/snmpd.conf     2010-06-01 22:05:56.000000000 -0700
+++ /etc/snmp/snmpd.conf        2010-07-14 06:39:17.975164559 -0700
@@ -58,8 +58,8 @@
# from):

#       sec.name  source          community
-com2sec paranoid  default         public
-#com2sec readonly  default         public
+#com2sec paranoid  default         public
+com2sec readonly  default         public-foobar
#com2sec readwrite default         private

####
@@ -82,7 +82,7 @@
#           incl/excl subtree                          mask
view all    included  .1                               80
view system included  .1.3.6.1.2.1.1
-#view system included  .iso.org.dod.internet.mgmt.mib-2.system
+view system included  .iso.org.dod.internet.mgmt.mib-2.system

####
# Finally, grant the 2 groups access to the 1 view with different

Testing

Limited public community view 

[shanu@faith ~]$ snmpwalk -v2c -c public-foobar  localhost .1
sysDescr.0 = STRING: Shanu's Laptop
sysObjectID.0 = OID: netSnmpAgentOIDs.10
sysUpTime.0 = Timeticks: (568003) 1:34:40.03
sysContact.0 = STRING: 'Shanker Balan < at shanu-goaway-spammer-balan-dot-net>'
sysName.0 = STRING: faith.bangalore.corp.yahoo.com
sysLocation.0 = STRING: 'Bangalore, India'
sysORLastChange.0 = Timeticks: (22) 0:00:00.22
sysORID.1 = OID: ifMIB
sysORID.2 = OID: snmpMIB
sysORID.3 = OID: tcpMIB
sysORID.4 = OID: ip
sysORID.5 = OID: udpMIB
sysORID.6 = OID: vacmBasicGroup
sysORID.7 = OID: snmpFrameworkMIBCompliance
sysORID.8 = OID: snmpMPDCompliance
sysORID.9 = OID: usmMIBCompliance
sysORDescr.1 = STRING: The MIB module to describe generic objects for network interface sub-layers
sysORDescr.2 = STRING: The MIB module for SNMPv2 entities
sysORDescr.3 = STRING: The MIB module for managing TCP implementations
sysORDescr.4 = STRING: The MIB module for managing IP and ICMP implementations
sysORDescr.5 = STRING: The MIB module for managing UDP implementations
sysORDescr.6 = STRING: View-based Access Control Model for SNMP.
sysORDescr.7 = STRING: The SNMP Management Architecture MIB.
sysORDescr.8 = STRING: The MIB for Message Processing and Dispatching.
sysORDescr.9 = STRING: The management information definitions for the SNMP User-based Security Model.
sysORUpTime.1 = Timeticks: (18) 0:00:00.18
sysORUpTime.2 = Timeticks: (18) 0:00:00.18
sysORUpTime.3 = Timeticks: (18) 0:00:00.18
sysORUpTime.4 = Timeticks: (18) 0:00:00.18
sysORUpTime.5 = Timeticks: (18) 0:00:00.18
sysORUpTime.6 = Timeticks: (18) 0:00:00.18
sysORUpTime.7 = Timeticks: (22) 0:00:00.22
sysORUpTime.8 = Timeticks: (22) 0:00:00.22
sysORUpTime.9 = Timeticks: (22) 0:00:00.22
hrSystemUptime.0 = Timeticks: (3987402) 11:04:34.02
hrSystemUptime.0 = No more variables left in this MIB View (It is past the end  of the MIB tree
[shanu@faith ~]$ snmpwalk -Os -c public -v 2c localhost .1|wc -l
36
[shanu@faith ~]$ sudo chkconfig --level 35 snmpd on
[shanu@faith ~]$ chkconfig --list|grep snmpd
snmpd           0:off   1:off   2:off   3:on    4:off   5:on    6:off

Full private Community View 

[shanu@faith ~]$ snmpwalk -Os -c private -v 2c localhost .1
[..]
[shanu@faith ~]$ snmpwalk -Os -c private -v 2c localhost .1|wc -l
7790

NOTE

  1. Keep SNMP port (161/UDP) protected from the public to minimise security risk
  2. Turn off the "public" view if not needed. It seldom is.
Retrieved from "http://www.shankerbalan.net/wiki/SNMP"
Personal tools