Versions Compared

Old Version 1

changes.mady.by.user Arnulfo Garcia Perez

Saved on

compared with

New Version Current

changes.mady.by.user Arnulfo Garcia Perez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document considers the following variables that should be replaced by real values:

  • 192.168.10.0/24 : Network IP address and subnet mask in CIDR format corresponding to the local area network.
  • password : Any password good enough.
  • nmis.support.latam.lab : Host name of the system where the service is being configured.
  • nmis-support-latam-lab@some-domain.net : Server administrator email account.
  • 192.168.10.254 : IP address of the server.

...

At least two groups are created: MyRWGroup and MyROGroup . The first will be a group that will be assigned read-write permissions later, and the second will be a group that will later be assigned read-only permissions . For each group, three lines are assigned that specify the type of access that will be allowed at any given time to a particular group. That is, MyRWGroup is associated with local and MyROGroup to MyLocalRed .

Code Block
# Second, map the security name into a group name:
#       groupName      securityModel securityName
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
group   trustedGroup v2c          trustedUser
####

#A assigned to the group writing reading 
group MiGrupoRW v1 Local 
group MiGrupoRW v2c Local 
group MiGrupoRW usm Local 
#A assigns MiRedLocal to the group read - only 
group MiGrupoRO v1 MiRedLocal 
group MiGrupoRO v2c MiRedLocal 
group MiGrupoRO usm MiRedLocal

...

You must specify what permissions the two groups, MyGroupRO and MyGroupRW, will have . The last columns are of special interest.

...

The example shown below is used on all computers owned by the author at home and in the office. You just have to replace the value redlocal with whatever you consider appropriate and replace the value 192.168.110.0/24 with the value of the network or the IP address from which access is required with a snmp client , such as MRTG .NMIS8 or NMIS9.



Code Block
######
# Access Control Lists (ACLs)
# First, map the community name "public" into a "security

...

name"
#       sec.name

...

  source          community
com2sec notConfigUser  default       public
com2sec local 127.0.0.1/32

...

password 
com2sec MyLocalNetwork

...

 192.168.

...

10.0/24  password

######
# This community string has full SNMP

...

view to access all the goodness
com2sec trustedUser  default      nmisGig8

######
# ACL is assigned to group read write
# Second, map the security name into a group name:
#       groupName      securityModel securityName
group  

...

notConfigGroup v1

...

          notConfigUser
group  

...

notConfigGroup v2c

...

          notConfigUser
group   trustedGroup v2c          trustedUser

######
# Third, create a view for us to let the group have rights to:
# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1
view    fullview      included   .1
view     all            included   .1        80

######
# Finally, grant the group read-only access to the systemview view.
#       group          context sec.model sec.level prefix read  

...

write

...

 notif
access

...

 notConfigGroup ""       any      

...

noauth    exact  systemview none none
access  trustedGroup   ""

...

      any

...

     

...

noauth    exact  fullview none

...

 none
access

...

  MiGrupoRO        ""       any    

...

  noauth    exact  all    none  none
access  MiGrupoRW        ""       any       noauth    exact  all    all   all

######
# System contact information
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation  Linux server on CDMX LATAM
syscontact      Administrator support@opmantek.com latam@opmantek.com





...

Follow the procedure below to add more client hosts to the service:

...

Activate, start, stop and restart the service.

Run the following to activate the service at all runlevels:

Code Block
chkconfig snmpd on

Run the following to run the service for the first time:

Code Block
service snmpd start

Run the following to restart the service and apply changes made to the configuration:

Code Block
service snmpd restart

Run the following to stop the service:

Code Block
service snmpd stop

Checks.

Considering, as an example , to be sign as password password on a system whose IP address is 192.168.1.254 , to test whether the configuration works, you just have to run the following two commands to verify that return information about the queried system.

Code Block
## V1 
snmpwalk -v 1

...

<ip_device> -c

...

<community_SNMP> system
##

...

V2 
snmpwalk -

...

v2c -c

...

Necessary modifications to the fire wall.

If using a firewall with strict policies, such as Shorewall , it is necessary to open ports 161 and 162 over UDP ( SNMP and SNMPTRAP , respectively).

The rules for the file / etc / shorewall / rules of Shorewall on a system with a zone ( net ) correspond to the following:

...

#ACTION SOURCE DEST PROTO DEST SOURCE 
# PORT PORT (S) 1 
ACCEPT net fw udp 161,162

The rules for the file / etc / shorewall / rules of Shorewall in a system with two zones ( net and loc ), which will only allow access to the service snmpd from the local network, would correspond to the following:

#ACTION SOURCE DEST PROTO DEST SOURCE 
# PORT PORT (S) 1 
ACCEPT loc fw udp 161,162

Run the following to apply the changes:

...

<community_SNMP> <ip_device> system
## V3 
snmpwalk -v3  -l <noAuthNoPriv|authNoPriv|authPriv> -u <username> [-a <MD5|SHA>] [-A <authphrase>]  [-x DES] [-X <privaphrase>] <ipaddress>[:<dest_port>] [oid]  system