The SNMPv3 security header uses user-safe mode (USM), which provides network management communications with confidentiality and integrity. Confidentiality is provided through the adoption of data encryption standards (DES). Although this algorithm is known for its fragility (since it employs a 40-bit key), it has significant advantages over plaintext community strings. Even a fragile algorithm like des can be compromised by a concerted attack, so you could at least guard against accidental eavesdroppers.
Integrity services are provided by hashing an authentication code algorithm with a secure hash function: One of the MD5 or secure hashing algorithms (SHA-1). The use of hashes ensures that the SNMP device can know that the information has not been changed in transit (either by accident or by malicious alteration). It is to be remembered that there are still some malicious people who can disrupt the integrity and validity of encrypted communications by altering the signal text, making it impossible to decrypt them correctly. Hash integrity provides a way to detect this activity.
The SNMPV3 USM also allows for user-based authentication and access control. Unlike previous SNMP with level two "read" and "write" community strings, administrators can create special accounts for each SNMP user and grant permissions based on those user accounts. For example, you can give an operator the ability to monitor the status of a device, but leave the modified permissions to the network engineer. Due to the increased reliability of user behavior, it has an important impact on the security of the system. It also simplifies the process of excluding one user from the system without having to reconfigure all SNMP devices.
However, not all network devices support SNMPV3. If you use some older devices that do not support these security features, you can take the following two steps. First, contact the supplier. In the existing aftermarket support contract you may be able to get software or firmware upgrades that support SNMPV3. Also, if you can't take advantage of SNMPv3 's built-in security features, look for additional software that provides similar security features. For example, you can use IPSec or other encryption techniques to ensure the security of SNMP traffic between devices. It is difficult (and possibly impossible) to implement all SNMPV3 functions on devices that do not support SNMPv3, but it is always better to have encryption.
The following is the introduction of Snmpv3 in the NET-SNMP under the Linux configuration method, I hope that everyone's work to learn some help.
System version:
# uname-a
Linux linux01 2.6.18-238.12.1.el5 #1 SMP Tue (13:23:01 EDT) i686 i686 i386 Gnu/linux
First, install SNMP
# yum install-y net-snmp net-snmp-utils
Install via network automatically download and install the following 4 packages, if not connected to the network, you can hang on the Linux CD, set up local source installation.
Total Download size:2.6 M
Downloading Packages:
(quarter): net-snmp-utils-5.3.2.2-9.el5_5.1.i386.rpm | 18 6 kb 00:00
(2/4): lm_sensors-2.10.7-9.el5.i386.rpm | 511 kb 00:00
(3/4): net-snmp-5.3.2.2-9.el5_5.1.i386.rpm | 697 kb 00:00
(4/4): net-snmp-libs-5.3.2.2-9.el5_5.1.i386.rpm | 1.3 MB 00:00
Two, configure SNMP
# RPM-QA net-snmp #查看安装包
net-snmp-5.3.2.2-9.el5_5.1
# rpm-ql net-snmp #查看安装路径
/E TC/LOGROTATE.D/SNMPD
/etc/rc.d/init.d/snmpd
/ETC/RC.D/INIT.D/SNMPTRAPD
/etc/snmp
/etc/snmp/ snmpd.conf
/etc/sysconfig/snmpd.options
/etc/sysconfig/snmptrapd.options
...
...
# snmpd-v #查看版本
net-snmp version: 5.1.2
web: http://www.net-snmp.org/
email: [EMAIL&N Bsp;protected]
Make a brief change with the default snmp.conf configuration document: (non-mainstream)
# Mv/etc/snmp/snmpd.conf/etc/snmp/snmpd.conf.bak
# vi/etc/ snmp/snmpd.conf
Input:
rouser user auth
Save exit
(v3c authentication method, add a read-only account, as follows: Rouser user auth Add account above means: in V3c, " Rouser "is used to represent a read-only account type, then" user "is the specified user name, and the back" auth "indicates that authentication is required. )
Third, increase the SNMP user
We need to create the user, we need this file:/var/net-snmp/snmpd.conf, this file will be automatically called when the SNMPD is started, because we are not running SNMP at this time, so manually create this file, the command is as follows:
# MKDIR/VAR/NET-SNMP
# touch/var/net-snmp/snmpd.conf
# vi/var/net-snmp/snmpd.conf
Input:
CreateUser User MD5 MyPassword
Save exit
(This line of configuration means to create a user named "Users" with the password "MyPassword" and encrypted transmission with MD5.) The warning here is that the password must be at least 8 bytes, which is the SNMP protocol, if less than 8 bytes, the communication will not be able to proceed. )
Four, running SNMP
# service SNMPD Start
Starting snmpd: [OK]
# chkconfig SNMPD on #设置成开机自动运行
V. Check the server running status
# Service SNMPD Status
SNMPD (PID 4167) is running ...
# Netstat-anup | grep 161 #161是snmp服务端口.
UDP 0 0 0.0.0.0:161 0.0.0.0:* 4167/snmpd
Now we can add this machine to monitor her data in cacti or nagios.
Six, take cacti as an example, need to fill in the information
SNMP Version:version3
SNMP Username (v3): User
SNMP Password (v3): MyPassword
SNMP Auth Protocol (v3): MD5
SNMP Privacy Passphrase (v3): Empty
SNMP Privacy Protocol (v3): None
Seven, possible problems: the head display SNMP error
SNMP Information
SNMP Error
Workaround:
# Service SNMPD Stop
# vi/var/net-snmp/snmpd.conf
Re-join:
CreateUser User MD5 MyPassword
F5 Refresh the cacti or wait a moment.