Monday, September 20, 2010

Advance SNMP HOWTO

What is SNMP  

Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.The first versions of SNMP were developed in the early 80s. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. 

Installation 

Check to see if snmp rpm is installed or not 

    rpm –qa | grep net-snmp 

If it is not install then install the following rpms 

    rpm –ivh net-snmp-<version>.rpm 
    rpm –ivh net-snmp-libs-<version>.rpm 
    rpm –ivh net-snmp-utils-<version>.rpm 

Configuration 
  
    cd /etc/snmp/ 

    mv snmpd.conf snmpd.conf.org 

we are creating a read only community bsilcomm which allow everyone to query and get information via predefined MIBs. 

    vi snmpd.conf 

rocommunity bsilcomm 

                chkconfig snmpd on 
 Know starting the services 
                service snmpd start 
 Quering the services via following commands 

               snmpwalk -v 1 -c bsilcomm localhost interface 
                snmpwalk -v 1 -c bsilcomm localhost system 
 SNMP Versions
There are currently three versions of SNMP.
  1. SNMP Version 1: The first version of SNMP to be implemented, version 1 was designed to be a protocol to provide device statistics and error reporting without consuming a lot of system resources. Security was limited to community strings and access controls based on the IP address of the querying server. Data communication wasn't encrypted.
  2. SNMP Version 2: The second version of SNMP, often referred to as v2c, expanded the number of supported error codes, increased the size of counters used to track data, and had the ability to do bulk queries that more efficiently loaded response packets with data. SNMP v2c is backward compatible with version 1.
  3. SNMP Version 3: This version provides greater security and remote configuration capabilities than its predecessors. Access isn't limited to a single community string for read-only and read/write access, as usernames and passwords have been introduced. Views of OIDs in a MIB can also be limited on a per-user basis. Support for encrypted SNMP data transfer and transfer error detection is also provided.
Remember their differences, because you will need to specify the version number when doing SNMP queries.

Basic SNMP Security

The security precautions that need to be taken with SNMP vary depending on the version you are using. This section outlines the basic steps for protecting your MIB data.

SNMP Versions 1 and 2

The most commonly supported versions of SNMP don't encrypt your community string password so you shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or the SNMP security features available in the snmp.conf file. You can also configure your server to use the TCP wrappers feature outlined in Appendix I, "Miscellaneous Linux Topics," to limit access to specific servers without the need of a firewall.
In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks.
The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the file and is immediately followed by a less restrictive section. The example that follows is a modification of the less restrictive section. You will have to comment out the more restrictive statements at the top of the file for it to work correctly.

##       sec.name     source           community
##       ========     ======           =========
com2sec  local       localhost        craz33guy
com2sec  network_1   172.16.1.0/24    craz33guy
com2sec  network_2   192.168.2.0/24   craz33guy
##       Access.group.name   sec.model        sec.name
##       =================  =========         ========
group    MyROGroup_1        v1                local
group    MyROGroup_1        v1                network_1
group    MyROGroup_2        v2c               network_2
##   MIB.view.name     incl/excl  MIB.subtree  mask
##   ==============   =========  ===========  ====
view all-mibs         included   .1           80
##      MIB               
##      group.name   context sec.model sec.level prefix read     write  notif
##      ==========   ======= ========= ========= ====== ====     =====  =====
access  MyROGroup_1  ""       v1       noauth    exact  all-mibs none   none
access  MyROGroup_2  ""       v2c      noauth    exact  all-mibs none   none
In our example:
  • Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with the craz33guy community string.
  • Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group called MyROGroup_2 using SNMP version 2.
  • All the MIBs on the server are defined by the view named all-mibs.
  • An access statement ensures that only the defined networks have read only access to all the MIBs. MyROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access.
  • Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the access statement.
These precautions are probably unnecessary in a home environment where access is generally limited to devices on the home network by a NAT firewall.

SNMP Version 3

SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data and uses a username / password combination for client authentication. The username should be located in the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the /var/net-snmp/snmpd.conf file. Here is how it's done.
1.      Install the net-snmp-devel package as it contains the utility that will allow you to generate the password.
2.      Stop the snmpd process.
            service snmpd stop
            Stopping snmpd: [  OK  ]
3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password entries using the net-snmp-config command. In this example the authentication password of "rootsrockreggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The data received will not be encrypted.
        net-snmp-config --create-snmpv3-user -ro -a MD5 -A rootsrockreggae username4snmpv3
Adding the following line to /var/net-snmp/snmpd.conf:
   createUser username4snmpv3 MD5 "rootsrockreggae" DES
Adding the following line to /etc/snmp/snmpd.conf:
           rouser username4snmpv3
            service snmpd start
                Starting snmpd: [  OK  ]
4. To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username "securev3user" and authentication password "mandeville" are used, but this time the data will be encrypted using the DES algorithm with the privacy password of "savlamar". 
[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro -a MD5 -A mandeville -x DES -X savlamar securev3user
Adding the following line to /var/net-snmp/snmpd.conf:
       createUser securev3user MD5 "mandeville" DES savlamar
Adding the following line to /etc/snmp/snmpd.conf:
       rouser securev3user
5. Start the snmpd process. 
        service snmpd start
            Starting snmpd: [  OK  ]
6. First we'll do a query from remote host smallfry. We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option). 
        snmpget -v 3 -u username4snmpv3 -l authNoPriv -a MD5 -A rootsrockreggae  192.168.1.100 SNMPv2-MIB::sysORDescr.8
        SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
Next we'll do a query that will return a response over an encrypted data channel while crossing the network (the authPriv option).
        snmpget -v 3 -u securev3user -l authPriv -a MD5 -A mandeville  -x DES -X savlamar 192.168.1.100 SNMPv2-MIB::sysORDescr.8
        SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example. 
        # File: /var/net-snmp/snmpd.conf before SNMP starts
        createUser securev3user MD5 "mandeville" DES savlamar
        createUser username4snmpv3 MD5 "rootsrockreggae" DES
The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here.
        # File: /var/net-snmp/snmpd.conf after SNMP starts
        usmUser 1 3 0x80001f88780711168720eb1e745
        0x73656375626576337573657200
        0x73656375726576337573657200
        NULL .1.3.6.1.6.3.10.1.1.2 0xd951
        ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2
        0xf1f4bb00452211d27b50c273c09031ac 0x00
        usmUser 1 3 0x80001f8880711168720eb1e745
        0x757365726e61657534736e6d70763300
        0x757365726e616d6534736e6d70763300
        NULL .1.3.6.1.6.3.10.
        1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd
        .1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""
        setserialno 1464593474
Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you use it without any arguments like this:
        net-snmp-config
        ...
        ...
        SNMP Setup commands:
        --create-snmpv3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username]
        ...
        ...
With experience, you should become confident enough to edit the configuration files by yourself. 
As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice whenever possible.

Note: If you want to monitor snmp traffic via mrtg or rrd then you have to configure both MRTG and RRD.


Note that this document comes without warranty of any kind. But every effort has been made to provide the information as accurate as possible. I welcome emails from any readers with comments, suggestions, and corrections at webmaster_at admin@linuxhowto.in

Copyright © 2012 LINUXHOWTO.IN

No comments:

Post a Comment