You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document considers the following variables that should be replaced by real values:

  • 192.168.10.0/24 : Network IP address and subnet mask in CIDR format corresponding to the local area network.
  • password : Any password good enough.
  • nmis.support.latam.lab : Host name of the system where the service is being configured.
  • nmis-support-latam-lab@some-domain.net : Server administrator email account.
  • 192.168.10.254 : IP address of the server.

Configuration file /etc/snmp/snmpd.conf.

Access control lists.

You should create access control lists ( ACLs or A ccess C ontrol L ist) corresponding to the file /etc/snmp/snmpd.conf , which serve to define what you will have access to the service snmpd . One of these lists will be granted read and write access permission, for whatever is necessary in relation to administration, and the other will be given read-only. For security reasons only interface 127.0.0.1 will be in the read write list. Read-only access permission will be granted to a network or an IP address in the other access control list.


Considering the above, a couple of lines could be added like the following:


com2sec local 127.0.0.1/32 password
com2sec MyLocalNetwork  192.168.10.0/24  password


####
# First, map the community name "public" into a "security name"
#       sec.name  source          community 
com2sec notConfigUser  default       public


snmp community configuration definition

# This community string has full SNMP view to access all the goodness
com2sec trustedUser  default      nmisGig8
####


Definition of groups.

At least two groups are created: MyRWGroup and MyROGroup . The first will be a group that will be assigned read-write permissions later, and the second will be a group that will later be assigned read-only permissions . For each group, three lines are assigned that specify the type of access that will be allowed at any given time to a particular group. That is, MyRWGroup is associated with local and MyROGroup to MyLocalRed .

# Second, map the security name into a group name:
#       groupName      securityModel securityName
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
group   trustedGroup v2c          trustedUser
####

#A assigned to the group writing reading 
group MiGrupoRW v1 Local 
group MiGrupoRW v2c Local 
group MiGrupoRW usm Local 
#A assigns MiRedLocal to the group read - only 
group MiGrupoRO v1 MiRedLocal 
group MiGrupoRO v2c MiRedLocal 
group MiGrupoRO usm MiRedLocal

Branches allowed.

The branches to be allowed to see through the service are specified. The most common, for example to be used with MRTG , is the following:

# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1
view    fullview    included   .1

## name   incl/excl subtree   mask(optional)
view all  included  .1        80

Assigning permissions to groups.

You must specify what permissions the two groups, MyGroupRO and MyGroupRW, will have . The last columns are of special interest.

# Finally, grant the group read-only access to the systemview view.
#       group          context sec.model sec.level prefix 		read   		write  notif
access  notConfigGroup ""      any       noauth    exact  		systemview 	none 	none
access  trustedGroup   ""      any       noauth    exact  		fullview 	none 	none
access 	MiGrupoRO 	   ""      any       noauth    exact  		all    		none  	none
access	 MiGrupoRW 	   ""      any       noauth    exact  		all    		all   	all

Informational options.

Two informational options are defined so that when using client applications such as MRTG , some information is included about which system is being accessed

syslocation  Linux server on CDMX LATAM
syscontact Administrator support@opmantek.com latam@opmantek.com

A working configuration example.

The example shown below is used on all computers owned by the author at home and in the office. You just have to replace the value redlocal with whatever you consider appropriate and replace the value 192.168.1.0/24 with the value of the network or the IP address from which access is required with a snmp client , such as MRTG .

# Access Control Lists (ACLs) 
## sec.name source community (alias password) 
com2sec local 127.0.0.1/32 password 
com2sec MyLocalNetwork  192.168.1.0/24  password 

# ACL is assigned to group read write 
group MyGroupRW v1 local 
group MyRWGroup v2c local 
group MyRWGroup usm local # ACL is assigned to the read-only 
group group MyROGroup v1 MyLocalRed 
group MyROGroup v2c MyLocalRed 
group MyROGroup usm MyLocalRed



# Ramas MIB que se permiten ver
## name   incl/excl subtree   mask(optional)
view all  included  .1        80

# Establece permisos de lectura y escritura
## group         context  sec.model sec.level prefix read   write notif
access MiGrupoRO ""       any       noauth    exact  all    none  none
access MiGrupoRW ""       any       noauth    exact  all    all   all

# Información de Contacto del Sistema
syslocation Servidor Linux en m064.alcancelibre.org.mx
syscontact Administrador (fulano@algún-dominio.net)

Follow the procedure below to add more client hosts to the service:

  1. Add an ACL with a unique name. Example:com2sec nuevo-acl 192.168.1.251 contraseña
  2. Add a set of rules assigned to the group as shown in the following example:


    group nuevo-grupo v1 nuevo-acl
    group nuevo-grupo v2c nuevo-acl
    group nuevo-grupo usm nuevo-acl
  3. Add a line that establishes what permissions the new-group will have . The example sets a read-only permission:access nuevo-grupo "" any noauth exact all none none

Activate, start, stop and restart the service.

Run the following to activate the service at all runlevels:

chkconfig snmpd on

Run the following to run the service for the first time:

service snmpd start

Run the following to restart the service and apply changes made to the configuration:

service snmpd restart

Run the following to stop the service:

service snmpd stop

Checks.

Considering, as an example , to be sign as password password on a system whose IP address is 192.168.1.254 , to test whether the configuration works, you just have to run the following two commands to verify that return information about the queried system.

snmpwalk -v 1 192.168.1.254 -c password system 

snmpwalk -v 1 192.168.1.254 -c password interfaces

Necessary modifications to the fire wall.

If using a firewall with strict policies, such as Shorewall , it is necessary to open ports 161 and 162 over UDP ( SNMP and SNMPTRAP , respectively).

The rules for the file / etc / shorewall / rules of Shorewall on a system with a zone ( net ) correspond to the following:

#ACTION SOURCE DEST PROTO DEST SOURCE 
# PORT PORT (S) 1 
ACCEPT net fw udp 161,162

The rules for the file / etc / shorewall / rules of Shorewall in a system with two zones ( net and loc ), which will only allow access to the service snmpd from the local network, would correspond to the following:

#ACTION SOURCE DEST PROTO DEST SOURCE 
# PORT PORT (S) 1 
ACCEPT loc fw udp 161,162

Run the following to apply the changes:

service shorewall restart
  • No labels