Linux SNMP
The following example uses the SUSE10 Linux environment, but it also applies to other Linux distributions.
Compiling and installing
First we need to download NET-SNMP source code, choose a version, such as 5.7.1, the address is as follows:
Http://sourceforge.net/projects/net-snmp/files/net-snmp/5.7.1/
Next, unzip the downloaded source code package as follows:
# tar XZVF net-snmp-5.7.1.tar.gz
The compilation rules are then generated through configure, as follows:
#./configure--prefix=/usr/local/snmp--with-mib-modules=ucd-snmp/diskio
Note that the above
--with-mib-modules=ucd-snmp/diskio
option allows the server to support disk I/O monitoring.
Next, start compiling and installing:
# make Install
So far, we've got an SNMP agent that we can run, it's in/usr/local/snmp/sbin/snmpd, and we need to make some necessary settings before we start it.
To set up secure authentication methods
Exposing the SNMP agent to all hosts on the network is dangerous, and in order to prevent other hosts from accessing your SNMP agent, we need to include an authentication mechanism on the SNMP agent. SNMP supports different authentication mechanisms, depending on the different versions of the SNMP protocol, monitoring Bao currently supports V2C and V3 two versions, where the V2C version of the authentication mechanism is relatively simple, it is based on plaintext password and authorized IP to authenticate, While the V3 version is authenticated by encrypting the user name and password, we recommend the use of V3, and of course, as long as the following description of the configuration, whether it is V2C version or V3 version, can guarantee a certain degree of security, you can choose according to the situation.
Note that the SNMP protocol version and the SNMP agent version are two different things, just said V2c and V3 is the version of the SNMP protocol, and NET-SNMP is used to implement the SNMP Protocol program suite, the current version of it is just mentioned in 5.4.2.1.
V2c
First look at how to configure the V2C version of the SNMP agent, we create the SNMPD configuration file, by default it does not exist, we create it, as follows:
# vi/usr/local/snmp/share/snmp/snmpd.conf
Then we need to create a read-only account, Read-only community, to add the following in snmpd.conf:
# rocommunity Jiankongbao 60.195.249.83 since February 21, 2012, this IP is no longer used rocommunity Jiankongbao 60.195.252.107rocommunity Jiankongbao 60.195.252.110# If you are using a plugin here IP should install the IP of the collector machine
Note : When adding a user, make sure that the SNMP service is not running or cannot be added.
Note that the "rocommunity" here means that this is a read-only access, and that the monitor can only get information from your server, not any settings on the server.
The "Jiankongbao" is the equivalent of a password, and many platforms prefer to use the default string "public". Here the "Jiankongbao" is just an example, you can set other strings as passwords.
The rightmost "60.195.249.83, 60.195.252.107,60.195.252.110" represents the designated monitoring point IP, which is a monitoring point dedicated to the surveillance This means that only the monitoring treasure has permission to access your SNMP agent.
Therefore, in the above configuration, only "Jiankongbao" is required to be modified by you, while adding the server on the monitoring treasure, you need to provide this string.
V3
Of course, we recommend that you use the V3 version for authentication. For some earlier versions of Linux distributions, the built-in SNMP agent may not support V3, so we recommend that you compile and install the latest NET-SNMP, as described in the previous procedure.
V3 supports another authentication method that requires the creation of a V3 account, and we also modify the following configuration files:
# vi/usr/local/snmp/share/snmp/snmpd.conf
Then add a read-only account, as follows:
Rouser Jiankongbao Auth
Note : When adding a user, make sure that the SNMP service is not running or cannot be added.
As you can see, in V3, "Rouser" is used to represent a read-only account type, and subsequent "Jiankongbao" is the specified user name, and the "auth" behind it indicates that authentication is required.
Next, we will add "Jiankongbao" This user, this is the special mechanism in V3, we open the following configuration file:
# vi/var/net-snmp/snmpd.conf
This file will be called automatically when the SNMPD is started, and we need to add the instructions to create the user inside it, as follows:
CreateUser Jiankongbao MD5 MyPassword
This line of configuration means creating a user named "Jiankongbao" with a password of "mypassword" and encrypted transmission with MD5. Here are the reminders:
Password must be at least 8 bytes
This is the provision of the SNMP protocol, and if it is less than 8 bytes, communication will not be possible.
It is worth noting that once SNMPD is started, for security reasons, the above line configuration will be snmpd automatically deleted, of course, SNMPD will be in the form of ciphertext to record in other files, restart snmpd do not need to add these configurations again, unless you want to create a new user.
The user name, password and encryption in the above configuration will need to be added when the monitoring treasure is added to the server.
Start the SNMP agent
After configuration, you can now start SNMPD, as follows:
/usr/local/snmp/sbin/snmpd
If you want to close, you can kill the process directly, as follows:
-9 SNMPD
Enhanced Security mechanisms
With the above verification mechanism, you can safely use the SNMP agent. However, if your SNMP agent version is low, there may be some malicious attackers exploit some inherent vulnerability, such as sending longer data to cause an SNMP agent memory leak or denial of service, for this reason, You can also use firewalls (iptables) for enhanced security filtering.
In Linux, we use iptables to implement firewalls, and in general, we should discard other incoming IP packets in addition to the packets that flow into the specified port. You may have configured some firewall rules, so just add the rules for SNMP.
The SNMP agent is monitored by default on the udp161 port, adding the following rules for your iptables:
-j ACCEPT
The above settings assume that the server extranet network card is eth0, you can modify according to the actual situation.
This way, only the dedicated monitor of the monitor can send UDP packets to the 161 port of your server to communicate with the SNMP agent.
CentOS SNMP Installation Net-snmp
The CentOS and other Redhat series offers NET-SNMP binary packages. We can install it directly from the source.
Shellyum install net-snmp net-snmp-devel net-snmp-utils
Description : Net-snmp-devel is intended to use Net-snmp-config, Net-snmp-utils is to use Snmpwalk.
Configure NET-SNMP
Under the author's test environment, the NET-SNMP under CentOS can not use V3 in the SELinux environment normally. If you want to use SNMP v3, please disable SELinux first.
Shell-A SNMP-AMD5 Jiankongbao
Above command, create a Snmpv3 user, read only, use MD5, username is Jiankongbao, password is [email protected].
Note : Please deactivate the NET-SNMP service before running.
Shell> Service snmpd Stop
Run NET-SNMP
The method of running the NET-SNMP service is relatively simple, but the name of the NET-SNMP service is snmpd.
Shell> Service snmpd start
You may need to add it to the Boot Autorun service list.
Shell> Chkconfig snmpd on
Detection NET-SNMP
We can use Snmpwalk to detect if the SNMP service is open properly.
Shell-l authnopriv 127.0.0.1 sysdescr
If everything works, it will return to normal results. For a parameter description of Snmpwalk, see its man document.
Configuring firewalls
NET-SNMP uses UDP protocol, port 161. At the same time, we will access your server from the following three IPs.
- 60.195.249.83 since February 21, 2012, no longer used
- 60.195.252.107
- 60.195.252.110
One possible configuration file is:
#-I input-p udp-s 60.195.249.83--dport 161-j accept-i input-p udp-s 60.195.252.107--dport 161-j accept-i INPUT- P udp-s 60.195.252.110--dport 161-j ACCEPT
Description : The above is only a possible configuration. Please understand the meaning of each sentence before you write it, instead of copying it directly. Otherwise, if there's an anomaly here,
-I. INPUT-J DROP
, you can only cry to scold me, hehe.
Linux installation opens the SNMP protocol, the bottom of which is Yum installation