This document considers the following variables that should be replaced by real values:
- 192.168.10.0/24 : Network IP address and subnet mask in CIDR format corresponding to the local area network.
- password : Any password good enough.
- nmis.support.latam.lab : Host name of the system where the service is being configured.
- nmis-support-latam-lab@some-domain.net : Server administrator email account.
- 192.168.10.254 : IP address of the server.
...
At least two groups are created: MyRWGroup and MyROGroup . The first will be a group that will be assigned read-write permissions later, and the second will be a group that will later be assigned read-only permissions . For each group, three lines are assigned that specify the type of access that will be allowed at any given time to a particular group. That is, MyRWGroup is associated with local and MyROGroup to MyLocalRed .
Code Block |
---|
# Second, map the security name into a group name: # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser group trustedGroup v2c trustedUser #### #A assigned to the group writing reading group MiGrupoRW v1 Local group MiGrupoRW v2c Local group MiGrupoRW usm Local #A assigns MiRedLocal to the group read - only group MiGrupoRO v1 MiRedLocal group MiGrupoRO v2c MiRedLocal group MiGrupoRO usm MiRedLocal |
...
You must specify what permissions the two groups, MyGroupRO and MyGroupRW, will have . The last columns are of special interest.
...
The example shown below is used on all computers owned by the author at home and in the office. You just have to replace the value redlocal with whatever you consider appropriate and replace the value 192.168.110.0/24 with the value of the network or the IP address from which access is required with a snmp client , such as MRTG .NMIS8 or NMIS9.
Code Block |
---|
###### # Access Control Lists (ACLs) # First, |
...
map the community name "public" into a "security name" # sec.name |
...
source community com2sec notConfigUser default public com2sec local 127.0.0.1/32 |
...
password |
...
com2sec MyLocalNetwork |
...
192.168. |
...
10.0/24 |
...
password ###### # This community string has full SNMP view to access all the goodness com2sec trustedUser default nmisGig8 ###### # ACL is assigned to group read write # Second, map the |
...
security name into a group name: # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser group trustedGroup v2c trustedUser ###### # Third, create a view for us to let the group have rights to: # Make at least snmpwalk -v 1 localhost -c public system fast again. # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 view fullview included .1 view all included .1 80 ###### # Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read |
...
write |
...
notif access |
...
notConfigGroup "" any noauth exact |
...
systemview none none access trustedGroup "" |
...
any |
...
...
noauth exact fullview none |
...
none
access |
...
Follow the procedure below to add more client hosts to the service:
...
MiGrupoRO "" any noauth exact all none none
access MiGrupoRW "" any noauth exact all all all
######
# System contact information
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation Linux server on CDMX LATAM
syscontact Administrator support@opmantek.com latam@opmantek.com |
Activate, start, stop and restart the service.
Run the following to activate the service at all runlevels:
Code Block |
---|
chkconfig snmpd on |
Run the following to run the service for the first time:
Code Block |
---|
service snmpd start |
Run the following to restart the service and apply changes made to the configuration:
Code Block |
---|
service snmpd restart |
Run the following to stop the service:
Code Block |
---|
service snmpd stop |
Checks.
Considering, as an example , to be sign as password password on a system whose IP address is 192.168.1.254 , to test whether the configuration works, you just have to run the following two commands to verify that return information about the queried system.
Code Block |
---|
## V1 snmpwalk -v 1 |
...
<ip_device> -c |
...
<community_SNMP> system ## V2 snmpwalk - |
...
v2c -c |
...
Necessary modifications to the fire wall.
If using a firewall with strict policies, such as Shorewall , it is necessary to open ports 161 and 162 over UDP ( SNMP and SNMPTRAP , respectively).
The rules for the file / etc / shorewall / rules of Shorewall on a system with a zone ( net ) correspond to the following:
...
#ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT (S) 1 ACCEPT net fw udp 161,162
The rules for the file / etc / shorewall / rules of Shorewall in a system with two zones ( net and loc ), which will only allow access to the service snmpd from the local network, would correspond to the following:
#ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT (S) 1 ACCEPT loc fw udp 161,162 |
Run the following to apply the changes:
...
<community_SNMP> <ip_device> system
## V3
snmpwalk -v3 -l <noAuthNoPriv|authNoPriv|authPriv> -u <username> [-a <MD5|SHA>] [-A <authphrase>] [-x DES] [-X <privaphrase>] <ipaddress>[:<dest_port>] [oid] system |