SNMP (Pete's notes)

Debian

To get the Net SNMP daemon (agent) onto a Debian system, do

apt-get install snmpd

This will install the snmpd binary and the boot-time startup script and links. Then edit /etc/snmp/snmpd.conf and set something like:

com2sec readonly default public #access MyRWGroup "" any noauth exact all all none syslocation NCAR computer room, 1850 Table Mesa Drive, Boulder, CO, USA syscontact David Mitchell, mitchell@ucar.edu, 303-497-1845

Red Hat Fedora Core 1

I got and installed net-snmp-5.0.9-2.90.1.i386.rpm. This installs /etc/snmp/snmpd.conf, which I edited to change the sysContact and sysLocation. It also installed /etc/rc.d/init.d/snmpd, but to make it get executed at startup, you need to do

chkconfig snmpd on

Note that before you can talk to the daemon from another machine, you have to change your iptables to allow SNMP.

Red Hat 7.2

Ret Hat Linux 7.2 comes with the ucd-snmp-4.2.1-7 rpm installed, which contains an SNMP agent named snmpd. It's the agent part of the net-snmp suite of SNMP software, which evolved from the CMU and UC-Davis SNMP suites. The other parts of net-snmp, like snmpwalk, are not installed by default in Ret Hat Linux 7.2. The snmpd daemon goes into an infinite loop when probed by HP OpenView, so I upgraded to 5.0.6. I did this by building the 5.0.6 code, not by installing a new RPM. I had to: there was no RPM of 5.0.6 available. I followed the directions to make/install 5.0.6. Then I had to (yuk) rename the old binary and make a link to the new one, and delete the old man page:

cd /usr/sbin mv snmpd snmpd.orig ln -s ../local/sbin/snmpd snmpd

To configure snmpd, edit the /etc/snmpd.conf file. For an explanation of this, do man snmpd.conf.

Step 1: use "com2sec" lines to define a "security names", which are names for a sets of things that are to be treated the same in terms of access rights. For instance, I'll define a security named "ucarsec" to cover inbound SNMP requests that come from from a 128.117.0.0 source and that contain the community string "public".

Step 2: use "group" lines to define different actions based on the type of request. You'd use this if you wanted to make different access for SNMP v1 requests than for SNMP v2 requests. I don't, so I just map the security names to group names without doing anything fancy.

Step 3: use "view" lines to define define sections of the MIB tree that you want to protect differently than other sections. I'll define one global view named "all" and one named "system" that covers just the system table.

Step 4: use "access" lines to map groups to views. I'll allow the "local" group to have access to the "all" view (the whole MIB), and I'll allow the "ucar" group to have access to the "system" view (only the "system" part of the MIB).

syslocation ML31G, NCAR, 1850 Table Mesa Drive, Boulder, CO 80305 syscontact Pete Siemsen, siemsen@ucar.edu com2sec localsec localhost public com2sec ucarsec 128.117.0.0/16 public group local v1 localsec group local v2c localsec group ucar v1 ucarsec group ucar v2c ucarsec view all included .1 view system included system fe access local "" any noauth exact all none none access ucar "" any noauth exact system none none

Then, to start the daemon and make it start at boot time,

/etc/rc.d/init.d/snmpd start chkconfig --add snmpd chkconfig snmpd on

To make the system permit inbound SNMP packets, edit the /etc/sysconfig/ipchains file and add these lines:

# 161=snmp -A input -s 0/0 -d 0/0 161 -p udp -j ACCEPT # 162=snmp traps -A input -s 0/0 -d 0/0 162 -p udp -j ACCEPT

Pete Siemsen

Last modified: Fri Dec 3 17:34:35 MST 2004