How to configure SNMPv3 in Ubuntu, CentOS and Cisco
I had originally written this tutorial for xmodulo.com
Simple Network Management Protocol (SNMP) is a widely used protocol for gathering information about what is going on within a device. For example, CPU and RAM usage, load on a server, traffic status in a network interface, and many other interesting properties of a device can be queried using SNMP.
Currently, three versions of SNMP are available: v1, v2c and v3. SNMP v1 and v2c can be easily configured, which has been discussed in a previous article. SNMPv3 adds some additional features, including authentication and encryption schemes (e.g., MD5, SHA, AES and DES). This makes SNMPv3 more secure and advisable while you run SNMP queries over the Internet.
SNMPv3 configuration is a bit different compared to SNMP v1 or v2c. The following sections explain in detail how the configuration is done.
Configure SNMPv3 on Ubuntu or Debian
The net-snmp-config tool is used for configuration. The following example creates a read-only SNMPv3 user named 'snmpv3user' with password 'snmpv3pass'. Default authentication method MD5 and default encryption DES are used. These values can be customized as well.
root@server:~# apt-get install snmp snmpd
root@server:~# service snmpd stop
root@server:~# net-snmp-config --create-snmpv3-user -ro -A snmpv3pass snmpv3user
root@server:~# service snmpd stop
root@server:~# net-snmp-config --create-snmpv3-user -ro -A snmpv3pass snmpv3user
## OUTPUT ## adding the following line to /var/lib/snmp/snmpd.conf: createUser snmpv3user MD5 "snmpv3pass" DES adding the following line to /usr/share/snmp/snmpd.conf: rouser snmpv3user
root@server:~# service snmpd start
Testing SNMPv3
snmpwalk is used to test SNMP configuration. Successful snmpwalk should provide tons of output. The following example illustrates the usage of snmpwalk using the recently created v3 user and v3 password. The IP address of the local Ubuntu/Debian server is 192.168.1.1.
root@server:~# snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.1.1 -v3
### SAMPLE OUTPUT ### iso.3.6.1.2.1.1.1.0 = STRING: "Linux server 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (68028) 0:11:20.28 iso.3.6.1.2.1.1.7.0 = INTEGER: 72 iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1 iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1 iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1 iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1 iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49 iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4 iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50 iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1 iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB." iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching." iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model." iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities" iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations" iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations" iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations" iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP." iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00 ### And the walk goes on and on ###
Deleting SNMPv3 User
While the net-snmp-config tool is running, information about v3 users is stored in the files/var/lib/snmp/snmpd.conf and /usr/share/snmp/snmpd.conf. Removing the information should do the trick.
root@server:~# service snmpd stop
root@server:~# vim /var/lib/snmp/snmpd.conf
root@server:~# vim /var/lib/snmp/snmpd.conf
## there should be a similar encrypted line that contains information on the user ## ## this line is removed ## usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0x945ed3c9708ea5493f53f953b45a4513 .1.3.6.1.6.3.10.1.2.2 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /usr/share/snmp/snmpd.conf
## The following line is removed ## rouser snmpv3user
Don't forget to restart snmpd afterwards.
root@server:~# service snmpd start
Configure SNMPv3 on CentOS or RHEL
The process of configuring SNMPv3 user in CentOS or RHEL is a bit different compared to Ubuntu, but the basics are the same.
First of all, necessary software is set up using yum. Adding Reporfoge repository is always a good idea.
[root@server ~]# yum install net-snmp-utils net-snmp-devel
Now that necessary packages are installed, the read-only SNMP user is created after snmpd is stopped.
[root@server ~]# service snmpd stop
[root@server ~]# net-snmp-create-v3-user -ro -A snmpv3pass -a MD5 -x DES snmpv3user
## OUTPUT ## adding the following line to /var/lib/net-snmp/snmpd.conf: createUser snmpv3user MD5 "snmpv3pass" DES adding the following line to /etc/snmp/snmpd.conf: rouser snmpv3user
[root@server ~]# service snmpd start
Testing SNMPv3
snmpwalk is a powerful tool for testing SNMP configuration and output. Successful snmpwalk should provide tons of output as follows.
[root@server ~]# snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.1.2 -v3
### OUTPUT ### SNMPv2-MIB::sysDescr.0 = STRING: Linux server.example.tst 2.6.32-71.el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28963) 0:04:49.63 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01 SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1 SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching. SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching. SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB. SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementation ## and the output continues ##
Deleting SNMPv3 User
The information about the SNMPv3 user are added in two files. Those entries are removed for deleting the SNMP user.
root@server:~# service snmpd stop
root@server:~# vim /var/lib/net-snmp/snmpd.conf
## there should be a similar encrypted line that contains information on the user ## ## this line is removed ## usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0x945ed3c9708ea5493f53f953b45a4513 .1.3.6.1.6.3.10.1.2.2 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /etc/snmp/snmpd.conf
## The following line is removed ## rouser snmpv3user
root@server:~# service snmpd start
Firewall Tuning (Optional)
The following example firewall rule can be used to limit the source IP addresses that are allowed to conduct SNMP queries. Two IP addresses (e.g., 192.168.1.100/101) are whitelisted.
root@server:~# iptables -A INPUT -s 192.168.1.100/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -s 192.168.1.101/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -p udp –dport 161 -j DROP
root@server:~# iptables -A INPUT -s 192.168.1.101/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -p udp –dport 161 -j DROP
Configure SNMPv3 on Cisco Switches and Routers
Cisco switches and routers support SNMPv3 as well. This demonstration will create an Access Control List (ACL) first to limit the source IP addresses that are permitted to do SNMP queries. This step, however, can be skipped.
Setting up ACL (Optional)
## global config mode ##
ip access-list standard SNMP_ACL
permit 192.168.1.100
permit 192.168.1.100
ip access-list standard SNMP_ACL
permit 192.168.1.100
permit 192.168.1.100
SNMPv3 Configuration
The following configuration creates a v3 group named v3Group with authNoPriv security level. The optional access list defined earlier can also be specified.
## global config mode ##
## With ACL ##
snmp-server group v3Group v3 auth access SNMP_ACL
## Without ACL ##
snmp-server group v3Group v3 auth
## With ACL ##
snmp-server group v3Group v3 auth access SNMP_ACL
## Without ACL ##
snmp-server group v3Group v3 auth
A user v3user is created and added under v3Group. The MD5 password and AES encryption key are also defined.
snmp-server user v3user v3Group v3 auth md5 snmpv3pass priv aes 128 snmpv3pass
Testing SNMPv3
The SNMP user and associated group can be viewed in the Cisco device.
### privileged EXEC mode ##
show snmp user
show snmp user
User name: v3user Engine ID: ************************ storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: AES128 Group-name: v3Group
snmpwalk from any Linux box can also be used to verify the configuration and examine the output.
snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.1.3 -v3
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software” Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.1166 iso.3.6.1.2.1.1.7.0 = INTEGER: 78 iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.2.1.0 = INTEGER: 54 iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1 iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2 iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3 ## output truncated ##
Hope this helps.
Comments
Post a Comment