11.18
Simple Network Management Protocol (SNMP) is an “Internet-standard protocol for managing devices on IP networks.”
Version 3:
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology.
SNMPv3 primarily added security and remote configuration enhancements to SNMP.
Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used.
SNMPv3 provides important security features:
- Confidentiality – Encryption of packets to prevent snooping by an unauthorized source.
- Integrity – Message integrity to ensure that a packet has not been tampered with in transit including an optional packet replay protection mechanism.
- Authentication – to verify that the message is from a valid source.
Configuration:
In Ubuntu 10.04 I used these settings which were working fine but not exactly secure:
/etc/default/snmpd
# This file controls the activity of snmpd and snmptrapd # MIB directories. /usr/share/snmp/mibs is the default, but # including it here avoids some strange problems. export MIBDIRS=/usr/share/snmp/mibs # snmpd control (yes means start daemon). SNMPDRUN=yes # snmpd options (use syslog, close stdin/out/err). SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1' # snmptrapd control (yes means start daemon). As of net-snmp version # 5.0, master agentx support must be enabled in snmpd before snmptrapd # can be run. See snmpd.conf(5) for how to do this. TRAPDRUN=no # snmptrapd options (use syslog). TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid' # create symlink on Debian legacy location to official RFC path SNMPDCOMPAT=yes
/etc/snmp/snmpd.conf
com2sec ro default public com2sec rw localhost private group public v1 ro group public v2c ro group public usm ro group private v1 rw group private v2c rw group private usm rw view all included .1 80 view system included .iso.org.dod.internet.mgmt.mib-2.system access public "" any noauth exact all none none access private "" any noauth exact all all all
In Ubuntu 12.04 I couldn’t get things to work in the first place. Not with the default settings and not with the above. Looking at /var/log/syslog made it clear that SNMPD wasn’t able to locate the MIBs.
Nov 17 22:27:59 hades snmpd[1066]: payload OID: prNames Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: unknown payload OID Nov 17 22:27:59 hades snmpd[1066]: Unknown payload OID: prNames Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: Unknown payload OID Nov 17 22:27:59 hades snmpd[1066]: payload OID: prErrMessage Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: unknown payload OID Nov 17 22:27:59 hades snmpd[1066]: Unknown payload OID: prErrMessage Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: Unknown payload OID Nov 17 22:27:59 hades snmpd[1066]: trigger OID: prErrorFlag Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: unknown monitor OID ... Nov 17 22:27:59 hades snmpd[1066]: Turning on AgentX master support. Nov 17 22:27:59 hades snmpd[1066]: net-snmp: 33 error(s) in config file(s)
After some searching I was able to get it running by setting MIBS to UCD-SNMP-MIB in /etc/default/snmpd.
In order to get SNMPv3 running only some minor adjustments were needed. I ended up with the following settings (which I hope are secure :-), see last two references (in Dutch)):
/etc/default/snmpd
# This file controls the activity of snmpd and snmptrapd # Don't load any MIBs by default. # You might comment this lines once you have the MIBs downloaded. export MIBS=UCD-SNMP-MIB # snmpd control (yes means start daemon). SNMPDRUN=yes # snmpd options (use syslog, close stdin/out/err). SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid' # snmptrapd control (yes means start daemon). As of net-snmp version # 5.0, master agentx support must be enabled in snmpd before snmptrapd # can be run. See snmpd.conf(5) for how to do this. TRAPDRUN=no # snmptrapd options (use syslog). TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid' # create symlink on Debian legacy location to official RFC path SNMPDCOMPAT=yes
/etc/snmp/snmpd.conf
agentAddress udp:161,udp6:[::1]:161 createUser internalUser MD5 "mypassword3" createUser cacti SHA "mypassword4" AES "passphrase4" view systemonly included .1.3.6.1.2.1.1 view systemonly included .1.3.6.1.2.1.25.1 rouser cacti iquerySecName internalUser rouser internalUser defaultMonitors yes linkUpDownNotifications yes master agentx
References:
Thanks very much sir….you helped me bypass the OID errors.
This sure is poorly documented. How were you able to figure out that “UCD-SNMP-MIB” was the proper value?
I found that in a non-related Debian topic. See “References”
Excellent…thanks again.
thanks! Work! =)
thx!