SNMP server configuration for Linux hosts

From Notes_Wiki
Revision as of 00:58, 24 November 2012 by Saurabh (talk | contribs)

SNMP server configuration for Linux hosts

Steps:

  1. Ensure that packages 'net-snmp' and 'net-snmp-utils' are installed.
  2. Start snmpd service and enable it on start-up using 'service snmpd start' and 'chkconfig snmpd on'
  3. Use command 'snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex' to query snmp server and list set of IP addresses assigned to it. Replace localhost with server IP and public with community name, if required. If server is already configured then interface list will get printed and we do not need to modify configuration. If nothing is printed then we can make following changes in configuration file '/etc/snmp/snmpd.conf':
    1. Find ' com2sec notConfigUser default public' and replace with
      com2sec local localhost public
      com2sec mynetwork 10.0.0.0/8 public
      com2sec mynetwork 172.16.0.0/12 public
      com2sec mynetwork 192.168.0.0/16 public
    2. Find 'group notConfigGroup v1 notConfigUser' and 'group notConfigGroup v2c notConfigUser' and replace with
      group MyRWGroup v1 local
      group MyRWGroup v2c local
      group MyRWGroup usm local
      group MyROGroup v1 mynetwork
      group MyROGroup v2c mynetwork
      group MyROGroup usm mynetwork
    3. Find 'view systemview included system' and replace with
      view all included .1
    4. Find 'access notConfigGroup "" any noauth exact systemview none none' and replace with
      access MyROGroup "" any noauth exact all none none
      access MyRWGroup "" any noauth exact all all none
    5. Find 'syslocation Unknown (edit /etc/snmp/snmpd.conf)' and 'syscontact Root (configure /etc/snmp/snmp.local.conf)' and replace with
      syslocation Lab320, 10.3.3.230, VM
      syscontact Saurabh Barjatiya <saurabh.barjatiya@iiit.ac.in>
  4. Do 'service snmpd reload'
  5. Again check using 'snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex' and verify that IP address are getting listed. Replace localhost with server IP and public with community name, if required.
  6. We can also use 'snmpwalk -v 1 -c public localhost .1 | less' to see entire list of parameters that can be queried. WARNING: The list can be very large.
  7. Block incomging packets on UDP ports 161, 162 from unknown hosts which should not be able to query snmp-server installed on the host.

Note:

  • We can create community other than public for additional security
  • We can also restrict view to certain MIBs instead of allow view of all.


Steps have been learned from http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/mrtg/mrtg_config_step_3.php


Back to SNMP server configuration