CentOS Compiler installation Net-snmp 5.6.2

Source: Internet
Author: User
Tags snmp snmpget

1. Preparation environment
Yum-y install make gcc gcc-c++ gcc-g77 OpenSSL openssl-devel

Common Lib installation can refer to this article

2. Compiling and installing
First we need to download the source code of NET-SNMP,
Official address:
http://sourceforge.net/projects/net-snmp/files/net-snmp/

Download net-snmp-5.6.2

: http://pan.baidu.com/s/1gd5TLT5

The downloaded source code package is then decompressed,
Tar xzvf net-snmp-5.6.2.1.tar.gz

The compilation rules are then generated through configure.

CD net-snmp-5.6.2.1

./configure \
--PREFIX=/SERVER/SNMP \
--with-mib-modules=ucd-snmp/diskio \
--with-default-snmp-version= "3" \
--with-sys-contact=yjken \
--with-sys-location= "Shanghai" \
--with-logfile= "/server/snmp/log/snmpd.log" \
--with-persistent-directory= "/var/net-snmp"

Note that the above

--with-mib-modules=ucd-snmp/diskio

option allows the server to support disk I/O monitoring.
Enter the following problem, you can directly enter without answering, the system will take the default information, where the log file is installed by default in/var/log/snmpd.log. The data storage directory is stored by default under/VAR/NET-SNMP.

Configuring the default SNMP protocol version (1,2c,3), which is configured as version v3, supports login verification, which is relatively more secure.
--with-default-snmp-version= "3"

Configure contact information for this device, or it can be an email address
--with-sys-contact=yjken

Configure the location of the system device
--with-sys-location= "Shanghai"

Configure the log file location
--with-logfile= "/server/snmp/log/snmpd.log"

Configuring the Data store directory
--with-persistent-directory= "/var/net-snmp"

Next, start compiling and installing:

Make && make install

So far, we've got an SNMP agent that we can run, it's in/server/snmp/sbin/snmpd, and we need to make some necessary settings before we start it.

3, set the security authentication method
Exposing the SNMP agent to all hosts on the network is dangerous, and in order to prevent other hosts from accessing your SNMP agent, we need to include an authentication mechanism on the SNMP agent. SNMP supports different authentication mechanisms, depending on the different versions of the SNMP protocol, the V2C version of the authentication mechanism is relatively simple, it is based on the plaintext password and the authorized IP to authenticate, and the V3 version through the user name and password encryption transmission to achieve authentication, we recommend the use of V3, of course, As long as the following instructions are configured, either the V2C version or the V3 version, you can guarantee a certain degree of security, you can choose according to the situation.
Note that the SNMP protocol version and the SNMP agent version are two different things, just said V2c and V3 refer to the version of the SNMP protocol, and NET-SNMP is the program suite used to implement the SNMP protocol.

V2c

First look at how to configure the V2C version of the SNMP agent, we create the SNMPD configuration file, by default it does not exist, we create it, as follows:

Vi/server/snmp/share/snmp/snmpd.conf

Then we need to create a read-only account, Read-only community, to add the following in snmpd.conf:

Rocommunity Yjken 127.0.0.1
Rocommunity Yjken 192.168.0.230

Note: When adding a user, make sure that the SNMP service is not running or cannot be added.
Note that the "rocommunity" here means that this is a read-only access, and that other clients can only get information from your server and not any settings on the server.
The "Yjken" is the equivalent of a password, and many platforms prefer to use the default string "public". Here the "Yjken" is just an example, you can set other strings as passwords.
The rightmost "127.0.0.1,192.168.0.230" represents the specified monitoring point IP, which means that only machines with IP "127.0.0.1" or "192.168.0.230" have permission to access your SNMP agent.
So, in the above configuration, only "Yjken" is required for you to modify, from the client access, you need to provide this string.

V3

Of course, we recommend that you use the V3 version for authentication. For some earlier versions of Linux distributions, the built-in SNMP agent may not support V3, so we recommend that you compile and install the latest NET-SNMP, as described in the previous procedure.
V3 supports another type of authentication, you need to create a V3 account, we also modify the following configuration file (it does not exist by default, we create it.) ):

Note: I have installed the V2 version of the protocol, but with the default configuration file, always error, fast Peng collapse, is because the default configuration file is V3 format configuration syntax, V3 version of the Protocol configuration Syntax and V2 version of the difference!

Vi/server/snmp/share/snmp/snmpd.conf

Then add a read-only account,

Rouser Yjken Auth

Note: When adding a user, make sure that the SNMP service is not running or cannot be added.
As you can see, in V3, "Rouser" is used to represent a read-only account type, and subsequent "Yjken" is the specified user name, and the "auth" behind it indicates that authentication is required.
Next, you need to run it first:

/server/snmp/sbin/snmpd-c/server/snmp/share/snmp/snmpd.conf &

After execution, the/var/net-snmp/snmpd.conf configuration file is generated, and then the command is used to end the process:

Killall-9 SNMPD

Then we will add "Yjken" This user to the configuration file, this is the special mechanism in V3, we open the configuration file:
NET-SNMP version 5.6.2 can write/var/net-snmp/snmpd.conf this file, and the version is 5.6.2.1, you need to write/server/snmp/share/snmp/snmpd.conf this file

#5.6.2
Vi/var/net-snmp/snmpd.conf
This file will be called automatically when the SNMPD is started, and we need to add instructions to create the user inside it.
#Only "CreateUser" tokens should be placed here by SNMPD administrators
CreateUser Yjken MD5 MyPassword

#5.6.2.1
Vi/server/snmp/share/snmp/snmpd.conf
This file will be called automatically when the SNMPD is started, and we need to add instructions to create the user inside it.
CreateUser Yjken MD5 MyPassword

#执行一下命令
/server/snmp/sbin/snmpd-c/server/snmp/share/snmp/snmpd.conf &

This line of configuration means creating a user named "Yjken" with a password of "mypassword" and encrypted transmission with MD5. Here are the reminders:
Password must be at least 8 bytes
This is the provision of the SNMP protocol, and if it is less than 8 bytes, communication will not be possible.
It is worth noting that once SNMPD is started, for security reasons, the above line configuration will be snmpd automatically deleted, of course, SNMPD will be in the form of ciphertext to record in other files, restart snmpd do not need to add these configurations again, unless you want to create a new user.

4. Start the SNMP agent program
After configuration, you can now start snmpd,

/server/snmp/sbin/snmpd-c/var/net-snmp/snmpd.conf &

If you want to close, you can kill the process directly,

Killall-9 SNMPD

5. Add SNMPD to boot
Enter the source directory, such as the/root/net-snmp-5.6.2 directory, to copy the boot configuration file example to the/etc/init.d/directory:

Cp/root/net-snmp-5.6.2/dist/snmpd-init.d/etc/init.d/snmpd

Modify the/etc/init.d/snmpd file
Put one of the
Vi/etc/init.d/snmpd

Prog= "/USR/LOCAL/SBIN/SNMPD"

Revision changed to

Prog= "/SERVER/SNMP/SBIN/SNMPD"

Put one of the

[-X $prog-a-f/usr/local/share/snmp/snmpd.conf] | | Exit 0

Revision changed to

[-X $prog-a-f/var/net-snmp/snmpd.conf] | | Exit 0

If you do not modify the/etc/init.d/snmpd file, create a soft connection
Ln-fs/server/snmp/sbin/snmpd/usr/local/sbin/snmpd

Ln-fs/var/net-snmp/snmpd.conf/usr/local/share/snmp/snmpd.conf
Or
Ln-fs/server/snmp/share/snmp/snmpd.conf/usr/local/share/snmp/snmpd.conf

Join the System startup item
echo "/etc/init.d/snmpd start" >>/etc/rc.local

Service Control:
Set up the above content to control the service with the following commands.
Start:

/ETC/INIT.D/SNMPD start

Stop it:

/ETC/INIT.D/SNMPD stop

Reboot:

/ETC/INIT.D/SNMPD restart

Service Status:

/ETC/INIT.D/SNMPD status

6. Enhanced Security mechanisms
With the above verification mechanism, you can safely use the SNMP agent. However, if your SNMP agent version is low, there may be some malicious attackers exploit some inherent vulnerability, such as sending longer data to cause an SNMP agent memory leak or denial of service, for this reason, You can also use firewalls (iptables) for enhanced security filtering.
In Linux, we use iptables to implement firewalls, and in general, we should discard other incoming IP packets in addition to the packets that flow into the specified port. You may have configured some firewall rules, so just add the rules for SNMP.
The SNMP agent is monitored by default on the udp161 port, adding the following rules for your iptables:

If the 192.168.0.230 is not the IP of the monitoring machine, you need to set up a firewall
Iptables-a input-i eth0-p udp-s 192.168.0.230--dport 161-j ACCEPT

The above settings assume that the server extranet network card is eth0, you can modify according to the actual situation.
In this way, the 192.168.0.230 machine can send UDP packets to the 161 port of your server to communicate with the SNMP agent.

7. Test:
ln-fs/server/snmp/bin/*/usr/local/bin/

V2 input snmpget-v2c-cyjken localhost. 1.3.6.1.2.1.1.1.0
V3 input snmpget-v3-cyjken-uyjken-lauthnopriv-amd5-amypassword localhost. 1.3.6.1.2.1.1.1.0
Snmpwalk-v3-cyjken-uyjken-lauthnopriv-amd5-amypassword localhost. 1.3.6.1.2.1.1.1.0
If the data is available, the installation is successful

Security levels in SNMPV3 safety documentation:
Http://www.webnms.com/simulator/help/sim_network/netsim_conf_snmpv3.html#security_levels

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.