This document considers the following variables that should be replaced by real values:
- 192.168.10.0/24 : Network IP address and subnet mask in CIDR format corresponding to the local area network.
- password : Any password good enough.
- nmis.support.latam.lab : Host name of the system where the service is being configured.
- nmis-support-latam-lab@some-domain.net : Server administrator email account.
- 192.168.10.254 : IP address of the server.
Configuration file /etc/snmp/snmpd.conf.
Access control lists.
You should create access control lists ( ACLs or A ccess C ontrol L ist) corresponding to the file /etc/snmp/snmpd.conf , which serve to define what you will have access to the service snmpd . One of these lists will be granted read and write access permission, for whatever is necessary in relation to administration, and the other will be given read-only. For security reasons only interface 127.0.0.1 will be in the read write list. Read-only access permission will be granted to a network or an IP address in the other access control list.
Considering the above, a couple of lines could be added like the following:
com2sec local 127.0.0.1/32 password com2sec MyLocalNetwork 192.168.10.0/24 password #### # First, map the community name "public" into a "security name" # sec.name source community com2sec notConfigUser default public
snmp community configuration definition
# This community string has full SNMP view to access all the goodness com2sec trustedUser default nmisGig8 ####
Definition of groups.
At least two groups are created: MyRWGroup and MyROGroup . The first will be a group that will be assigned read-write permissions later, and the second will be a group that will later be assigned read-only permissions . For each group, three lines are assigned that specify the type of access that will be allowed at any given time to a particular group. That is, MyRWGroup is associated with local and MyROGroup to MyLocalRed .
# Second, map the security name into a group name: # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser group trustedGroup v2c trustedUser #### #A assigned to the group writing reading group MiGrupoRW v1 Local group MiGrupoRW v2c Local group MiGrupoRW usm Local #A assigns MiRedLocal to the group read - only group MiGrupoRO v1 MiRedLocal group MiGrupoRO v2c MiRedLocal group MiGrupoRO usm MiRedLocal
Branches allowed.
The branches to be allowed to see through the service are specified. The most common, for example to be used with MRTG , is the following:
# Make at least snmpwalk -v 1 localhost -c public system fast again. # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 view fullview included .1 ## name incl/excl subtree mask(optional) view all included .1 80
Assigning permissions to groups.
You must specify what permissions the two groups, MyGroupRO and MyGroupRW, will have . The last columns are of special interest.
# Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read write notif access notConfigGroup "" any noauth exact systemview none none access trustedGroup "" any noauth exact fullview none none access MiGrupoRO "" any noauth exact all none none access MiGrupoRW "" any noauth exact all all all
Informational options.
Two informational options are defined so that when using client applications such as MRTG , some information is included about which system is being accessed
syslocation Linux server on CDMX LATAM syscontact Administrator support@opmantek.com latam@opmantek.com
A working configuration example.
The example shown below is used on all computers owned by the author at home and in the office. You just have to replace the value redlocal with whatever you consider appropriate and replace the value 192.168.10.0/24 with the value of the network or the IP address from which access is required with a snmp client , such as NMIS8 or NMIS9.
###### # Access Control Lists (ACLs) # First, map the community name "public" into a "security name" # sec.name source community com2sec notConfigUser default public com2sec local 127.0.0.1/32 password com2sec MyLocalNetwork 192.168.10.0/24 password ###### # This community string has full SNMP view to access all the goodness com2sec trustedUser default nmisGig8 ###### # ACL is assigned to group read write # Second, map the security name into a group name: # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser group trustedGroup v2c trustedUser ###### # Third, create a view for us to let the group have rights to: # Make at least snmpwalk -v 1 localhost -c public system fast again. # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 view fullview included .1 view all included .1 80 ###### # Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read write notif access notConfigGroup "" any noauth exact systemview none none access trustedGroup "" any noauth exact fullview none none access MiGrupoRO "" any noauth exact all none none access MiGrupoRW "" any noauth exact all all all ###### # System contact information # It is also possible to set the sysContact and sysLocation system # variables through the snmpd.conf file: syslocation Linux server on CDMX LATAM syscontact Administrator support@opmantek.com latam@opmantek.com
Activate, start, stop and restart the service.
Run the following to activate the service at all runlevels:
chkconfig snmpd on
Run the following to run the service for the first time:
service snmpd start
Run the following to restart the service and apply changes made to the configuration:
service snmpd restart
Run the following to stop the service:
service snmpd stop
Checks.
Considering, as an example , to be sign as password password on a system whose IP address is 192.168.1.254 , to test whether the configuration works, you just have to run the following two commands to verify that return information about the queried system.
## V1 ## snmpwalk -v 1 <ip_device> -c <community_SNMP> system ## V2 ## snmpwalk -v2c -c <community_SNMP> <ip_device> system ## V3 ## snmpwalk -v3 -l <noAuthNoPriv|authNoPriv|authPriv> -u <username> [-a <MD5|SHA>] [-A <authphrase>] [-x DES] [-X <privaphrase>] <ipaddress>[:<dest_port>] [oid] system