What is SNMP
Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.The first versions of SNMP were developed in the early 80s. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
Installation
Check to see if snmp rpm is installed or not
rpm –qa | grep net-snmp
If it is not install then install the following rpms
rpm –ivh net-snmp-<version>.rpm
rpm –ivh net-snmp-libs-<version>.rpm
rpm –ivh net-snmp-utils-<version>.rpm
Configuration
cd /etc/snmp/
mv snmpd.conf snmpd.conf.org
we are creating a read only community bsilcomm which allow everyone to query and get information via predefined MIBs.
vi snmpd.conf
rocommunity bsilcomm
chkconfig snmpd on
Know starting the services
service snmpd start
Quering the services via following commands
snmpwalk -v 1 -c bsilcomm localhost interface
snmpwalk -v 1 -c bsilcomm localhost system
SNMP Versions
There are currently three versions of SNMP.
- SNMP Version 1: The first version of SNMP to be implemented, version 1 was designed to be a protocol to provide device statistics and error reporting without consuming a lot of system resources. Security was limited to community strings and access controls based on the IP address of the querying server. Data communication wasn't encrypted.
- SNMP Version 2: The second version of SNMP, often referred to as v2c, expanded the number of supported error codes, increased the size of counters used to track data, and had the ability to do bulk queries that more efficiently loaded response packets with data. SNMP v2c is backward compatible with version 1.
- SNMP Version 3: This version provides greater security and remote configuration capabilities than its predecessors. Access isn't limited to a single community string for read-only and read/write access, as usernames and passwords have been introduced. Views of OIDs in a MIB can also be limited on a per-user basis. Support for encrypted SNMP data transfer and transfer error detection is also provided.
Remember their differences, because you will need to specify the version number when doing SNMP queries.
Basic SNMP Security
The security precautions that need to be taken with SNMP vary depending on the version you are using. This section outlines the basic steps for protecting your MIB data.
SNMP Versions 1 and 2
The most commonly supported versions of SNMP don't encrypt your community string password so you shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or the SNMP security features available in the snmp.conf file. You can also configure your server to use the TCP wrappers feature outlined in Appendix I, "Miscellaneous Linux Topics," to limit access to specific servers without the need of a firewall.
In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks.
The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the file and is immediately followed by a less restrictive section. The example that follows is a modification of the less restrictive section. You will have to comment out the more restrictive statements at the top of the file for it to work correctly.
## sec.name source community
## ======== ====== =========
com2sec local localhost craz33guy
com2sec network_1 172.16.1.0/24 craz33guy
com2sec network_2 192.168.2.0/24 craz33guy
## Access.group.name sec.model sec.name
## ================= ========= ========
group MyROGroup_1 v1 local
group MyROGroup_1 v1 network_1
group MyROGroup_2 v2c network_2
## MIB.view.name incl/excl MIB.subtree mask
## ============== ========= =========== ====
view all-mibs included .1 80
## MIB
## group.name context sec.model sec.level prefix read write notif
## ========== ======= ========= ========= ====== ==== ===== =====
access MyROGroup_1 "" v1 noauth exact all-mibs none none
access MyROGroup_2 "" v2c noauth exact all-mibs none none
In our example:
- Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with the craz33guy community string.
- Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group called MyROGroup_2 using SNMP version 2.
- All the MIBs on the server are defined by the view named all-mibs.
- An access statement ensures that only the defined networks have read only access to all the MIBs. MyROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access.
- Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the access statement.
These precautions are probably unnecessary in a home environment where access is generally limited to devices on the home network by a NAT firewall.
SNMP Version 3
SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data and uses a username / password combination for client authentication. The username should be located in the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the /var/net-snmp/snmpd.conf file. Here is how it's done.
1. Install the net-snmp-devel package as it contains the utility that will allow you to generate the password.
2. Stop the snmpd process.
service snmpd stop
Stopping snmpd: [ OK ]
3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password entries using the net-snmp-config command. In this example the authentication password of "rootsrockreggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The data received will not be encrypted.
net-snmp-config --create-snmpv3-user -ro -a MD5 -A rootsrockreggae username4snmpv3
Adding the following line to /var/net-snmp/snmpd.conf:
createUser username4snmpv3 MD5 "rootsrockreggae" DES
Adding the following line to /etc/snmp/snmpd.conf:
rouser username4snmpv3
service snmpd start
Starting snmpd: [ OK ]
4. To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username "securev3user" and authentication password "mandeville" are used, but this time the data will be encrypted using the DES algorithm with the privacy password of "savlamar".
[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro -a MD5 -A mandeville -x DES -X savlamar securev3user
Adding the following line to /var/net-snmp/snmpd.conf:
createUser securev3user MD5 "mandeville" DES savlamar
Adding the following line to /etc/snmp/snmpd.conf:
rouser securev3user
5. Start the snmpd process.
service snmpd start
Starting snmpd: [ OK ]
6. First we'll do a query from remote host smallfry. We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option).
snmpget -v 3 -u username4snmpv3 -l authNoPriv -a MD5 -A rootsrockreggae 192.168.1.100 SNMPv2-MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
Next we'll do a query that will return a response over an encrypted data channel while crossing the network (the authPriv option).
snmpget -v 3 -u securev3user -l authPriv -a MD5 -A mandeville -x DES -X savlamar 192.168.1.100 SNMPv2-MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example.
# File: /var/net-snmp/snmpd.conf before SNMP starts
createUser securev3user MD5 "mandeville" DES savlamar
createUser username4snmpv3 MD5 "rootsrockreggae" DES
The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here.
# File: /var/net-snmp/snmpd.conf after SNMP starts
usmUser 1 3 0x80001f88780711168720eb1e745
0x73656375626576337573657200
0x73656375726576337573657200
NULL .1.3.6.1.6.3.10.1.1.2 0xd951
ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2
0xf1f4bb00452211d27b50c273c09031ac 0x00
usmUser 1 3 0x80001f8880711168720eb1e745
0x757365726e61657534736e6d70763300
0x757365726e616d6534736e6d70763300
NULL .1.3.6.1.6.3.10.
1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd
.1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""
setserialno 1464593474
Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you use it without any arguments like this:
net-snmp-config
...
...
SNMP Setup commands:
--create-snmpv3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username]
...
...
With experience, you should become confident enough to edit the configuration files by yourself.
As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice whenever possible.
Note: If you want to monitor snmp traffic via mrtg or rrd then you have to configure both MRTG and RRD.
Note that this document comes without warranty of any kind. But every effort
has been made to provide the information as accurate as possible. I welcome
emails from any readers with comments, suggestions, and corrections at
webmaster_at admin@linuxhowto.in
Copyright © 2012 LINUXHOWTO.IN
Copyright © 2012 LINUXHOWTO.IN
I grateful for this post. I’ve been trying everywhere for this! Impart goodness I found it on this post. I really esteem your work and that I expect in future I’ll come back for additional data. Like this one. Some points described here were new for me and it was really wonderful to go through such informative post. You have created my day! Thanks again! I actually have some sensible work expertise with write my essay and my words are clearly supported what I felt through such processes within the past.
ReplyDeletehi
ReplyDelete