如何在Ubuntu,CentOS和Cisco系统中配置SNMPv3

如何在Ubuntu,CentOS和Cisco系统中配置SNMPv3,第1张

简单网络管理协议(SNMP)是一种广泛使用的协议,用于收集设备内部正在进行中的信息。比如说,CPU和RAM的使用率,服务器的负载率,网络接口的流量状态,和的设备的很多其他性能都可以用SNMP来查询。
当前,SNMP有3个版本:v1, v2c and v3。SNMP
v1和v2c,可方便地进行配置,这在以前的文章中讨论过。SNMPv3增加了一些额外的功能,包括身份验证和加密方案(例如,MD5,SHA,AES和
DES)。这使得我们在Internet上运行SNMP查询时,SNMPv3的更安全,更可取的。
同SNMP v1或v2c 相比,SNMPv3的配置有一点不同。下面详细解释了配置是如何进行的。
在Ubuntu和Debian配置SNMPv3
使用net-snmp-config tool工具进行配置。下面的例子中创建了一个只读权限的SNMPv3账户,用户名为“snmpv3user”密码为“snmpv3pass”。 默认身份验证方法是MD5加密,默认DES使用。这些设定也可根据需要改变。
root@server:~# apt-get install snmp snmpd
root@server:~# service snmpd stop
root@server:~# net-snmp-config --create-snmpv3-user -ro -A snmpv3pass snmpv3user
## OUTPUT ##
adding the following line to /var/lib/snmp/snmpdconf:
createUser snmpv3user MD5 "snmpv3pass" DES
adding the following line to /usr/share/snmp/snmpdconf:
rouser snmpv3user
root@server:~# service snmpd start
SNMPv3测试
使用snmpwalk测试SNMP的配置。成功的测试结果应当有大量的输出数据。下面的例子使用上文建立的V3账户演示了snmpwalk 的使用。Ubuntu和Debian的本地服务器IP地址19216811。
### SAMPLE OUTPUT ###
iso36121110 = STRING: "Linux server 350-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64"
iso36121120 = OID: iso3614180723210
iso36121130 = Timeticks: (68028) 0:11:2028
iso36121170 = INTEGER: 72
iso36121180 = Timeticks: (0) 0:00:0000
iso3612119121 = OID: iso3616310311
iso3612119122 = OID: iso3616311311
iso3612119123 = OID: iso3616315211
iso3612119124 = OID: iso361631
iso3612119125 = OID: iso3612149
iso3612119126 = OID: iso361214
iso3612119127 = OID: iso3612150
iso3612119128 = OID: iso3616316221
iso3612119131 = STRING: "The SNMP Management Architecture MIB"
iso3612119132 = STRING: "The MIB for Message Processing and Dispatching"
iso3612119133 = STRING: "The management information definitions for the SNMP User-based Security Model"
iso3612119134 = STRING: "The MIB module for SNMPv2 entities"
iso3612119135 = STRING: "The MIB module for managing TCP implementations"
iso3612119136 = STRING: "The MIB module for managing IP and ICMP implementations"
iso3612119137 = STRING: "The MIB module for managing UDP implementations"
iso3612119138 = STRING: "View-based Access Control Model for SNMP"
iso3612119141 = Timeticks: (0) 0:00:0000
iso3612119142 = Timeticks: (0) 0:00:0000
iso3612119143 = Timeticks: (0) 0:00:0000
iso3612119144 = Timeticks: (0) 0:00:0000
iso3612119145 = Timeticks: (0) 0:00:0000
### And the walk goes on and on ###
删除SNMPv3账户
当net-snmp-config tool 运行过程中,该账户的有关信息会存储在var/lib/snmp/snmpdconf 和/usr/share/snmp/snmpdconf两个文件之中。删除账户即删除这个文件中的信息即可。
root@server:~# service snmpd stop
root@server:~# vim /var/lib/snmp/snmpdconf
## there should be a similar encrypted line that contains information on the user ##
## this line is removed ##
usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL 13616310112 0x945ed3c9708ea5493f53f953b45a4513 13616310122 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /usr/share/snmp/snmpdconf
## The following line is removed ##
rouser snmpv3user
之后不要忘记重启snmpd
root@server:~# service snmpd start
在CentOS或者RHEL中配置SNMPv3
相比Ubuntu,在 CentOS 和 RHEL中配置SNMP v3用户的过程有点不同,但基本是相同的。
首先,使用yum安装必要的软件
[root@server ~]# yum install net-snmp-utils net-snmp-devel
安装完成之后, 先停止snmpd,再创建具有只读属性的SNMP 账户。
[root@server ~]# service snmpd stop
[root@server ~]# net-snmp-create-v3-user -ro -A snmpv3pass -a MD5 -x DES snmpv3user
## OUTPUT ##
adding the following line to /var/lib/net-snmp/snmpdconf:
createUser snmpv3user MD5 "snmpv3pass" DES
adding the following line to /etc/snmp/snmpdconf:
rouser snmpv3user
[root@server ~]# service snmpd start
SNMPv3测试
snmpwalk 是测试SNMP配置和输出出色的工具。成功的测试结果应当有大量的输出数据。
[root@server ~]# snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 19216812 -v3
### OUTPUT ###
SNMPv2-MIB::sysDescr0 = STRING: Linux serverexampletst 2632-71el6i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686
SNMPv2-MIB::sysObjectID0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28963) 0:04:4963
SNMPv2-MIB::sysORLastChange0 = Timeticks: (1) 0:00:0001
SNMPv2-MIB::sysORID1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects311
SNMPv2-MIB::sysORID2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr1 = STRING: The MIB for Message Processing and Dispatching
SNMPv2-MIB::sysORDescr2 = STRING: The MIB for Message Processing and Dispatching
SNMPv2-MIB::sysORDescr3 = STRING: The SNMP Management Architecture MIB
SNMPv2-MIB::sysORDescr4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr5 = STRING: The MIB module for managing TCP implementation
## and the output continues ##
删除SNMPv3账户
SNMPv3 账户信息被包含在两个文件之中。删除账户即删除这个文件中的信息即可。
root@server:~# service snmpd stop
root@server:~# vim /var/lib/net-snmp/snmpdconf
## there should be a similar encrypted line that contains information on the user ##
## this line is removed ##
usmUser 1 3 0x80001f8880056e06573a1e895100000000
0x736e6d7076337573657200 0x736e6d7076337573657200 NULL
13616310112 0x945ed3c9708ea5493f53f953b45a4513
13616310122 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /etc/snmp/snmpdconf
## The following line is removed ##
rouser snmpv3user
root@server:~# service snmpd start
防火墙调节(可选)
下面的例子中的防火墙规则可以被用于限制被允许进行SNMP查询的源IP地址。两个IP地址(例如,1921681100/101)被置于白名单中。
root@server:~# iptables -A INPUT -s 1921681100/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -s 1921681101/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -p udp –dport 161 -j DROP
思科交换机和路由器配置SNMPv3
思科交换机和路由器同样支持SNMPv3。下面的例子将创建一个访问控制列表(ACL)限制允许做SNMP查询的源IP地址。但是,这步被跳过了。
设置访问控制列表(ACL)(可选)
## global config mode ##
ip access-list standard SNMP_ACL
permit 1921681100
permit 1921681100
SNMPv3 配置
下面的配置创建一个名为v3Group与认证AuthNoPriv安全级别v3的组。前面定义的可选访问列表也支持设定。
## global config mode ##
## With ACL ##
snmp-server group v3Group v3 auth access SNMP_ACL

## Without ACL ##
snmp-server group v3Group v3 auth
用户v3user被创建并添加在v3Group下。 MD5的密码和AES加密密钥也被定义。
snmp-server user v3user v3Group v3 auth md5 snmpv3pass priv aes 128 snmpv3pass
SNMPv3测试
SNMP用户和相关组可以在Cisco设备中查看。
### privileged EXEC mode ##
show snmp user
User name: v3user
Engine ID:
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: v3Group
任何Linux设备中的snmpwalk的都可以用来验证配置和检查输出。
snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 19216813 -v3
iso36121110 = STRING: "Cisco IOS Software”
Technical Support: >在Ubuntu和Debian配置SNMPv3
使用net-snmp-config tool工具进行配置。下面的例子中创建了一个只读权限的SNMPv3账户,用户名为“snmpv3user”密码为“snmpv3pass”。 默认身份验证方法是MD5加密,默认DES使用。这些设定也可根据需要改变。
root@server:~# apt-get install snmp snmpd
root@server:~# service snmpd stop
root@server:~# net-snmp-config --create-snmpv3-user -ro -A snmpv3pass snmpv3user
## OUTPUT ##
adding the following line to /var/lib/snmp/snmpdconf:
createUser snmpv3user MD5 "snmpv3pass" DES
adding the following line to /usr/share/snmp/snmpdconf:
rouser snmpv3user
root@server:~# service snmpd start
SNMPv3测试
使用snmpwalk测试SNMP的配置。成功的测试结果应当有大量的输出数据。下面的例子使用上文建立的V3账户演示了snmpwalk 的使用。Ubuntu和Debian的本地服务器IP地址19216811。
### SAMPLE OUTPUT ###
iso36121110 = STRING: "Linux server 350-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64"
iso36121120 = OID: iso3614180723210
iso36121130 = Timeticks: (68028) 0:11:2028
iso36121170 = INTEGER: 72
iso36121180 = Timeticks: (0) 0:00:0000
iso3612119121 = OID: iso3616310311
iso3612119122 = OID: iso3616311311
iso3612119123 = OID: iso3616315211
iso3612119124 = OID: iso361631
iso3612119125 = OID: iso3612149
iso3612119126 = OID: iso361214
iso3612119127 = OID: iso3612150
iso3612119128 = OID: iso3616316221
iso3612119131 = STRING: "The SNMP Management Architecture MIB"
iso3612119132 = STRING: "The MIB for Message Processing and Dispatching"
iso3612119133 = STRING: "The management information definitions for the SNMP User-based Security Model"
iso3612119134 = STRING: "The MIB module for SNMPv2 entities"
iso3612119135 = STRING: "The MIB module for managing TCP implementations"
iso3612119136 = STRING: "The MIB module for managing IP and ICMP implementations"
iso3612119137 = STRING: "The MIB module for managing UDP implementations"
iso3612119138 = STRING: "View-based Access Control Model for SNMP"
iso3612119141 = Timeticks: (0) 0:00:0000
iso3612119142 = Timeticks: (0) 0:00:0000
iso3612119143 = Timeticks: (0) 0:00:0000
iso3612119144 = Timeticks: (0) 0:00:0000
iso3612119145 = Timeticks: (0) 0:00:0000
### And the walk goes on and on ###
删除SNMPv3账户
当net-snmp-config tool 运行过程中,该账户的有关信息会存储在var/lib/snmp/snmpdconf 和/usr/share/snmp/snmpdconf两个文件之中。删除账户即删除这个文件中的信息即可。
root@server:~# service snmpd stop
root@server:~# vim /var/lib/snmp/snmpdconf
## there should be a similar encrypted line that contains information on the user ##
## this line is removed ##
usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL 13616310112 0x945ed3c9708ea5493f53f953b45a4513 13616310122 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /usr/share/snmp/snmpdconf
## The following line is removed ##
rouser snmpv3user
之后不要忘记重启snmpd
root@server:~# service snmpd start
在CentOS或者RHEL中配置SNMPv3
相比Ubuntu,在 CentOS 和 RHEL中配置SNMP v3用户的过程有点不同,但基本是相同的。
首先,使用yum安装必要的软件
[root@server ~]# yum install net-snmp-utils net-snmp-devel
安装完成之后, 先停止snmpd,再创建具有只读属性的SNMP 账户。
[root@server ~]# service snmpd stop
[root@server ~]# net-snmp-create-v3-user -ro -A snmpv3pass -a MD5 -x DES snmpv3user
## OUTPUT ##
adding the following line to /var/lib/net-snmp/snmpdconf:
createUser snmpv3user MD5 "snmpv3pass" DES
adding the following line to /etc/snmp/snmpdconf:
rouser snmpv3user
[root@server ~]# service snmpd start
SNMPv3测试
snmpwalk 是测试SNMP配置和输出出色的工具。成功的测试结果应当有大量的输出数据。
[root@server ~]# snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 19216812 -v3
### OUTPUT ###
SNMPv2-MIB::sysDescr0 = STRING: Linux serverexampletst 2632-71el6i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686
SNMPv2-MIB::sysObjectID0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28963) 0:04:4963
SNMPv2-MIB::sysORLastChange0 = Timeticks: (1) 0:00:0001
SNMPv2-MIB::sysORID1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects311
SNMPv2-MIB::sysORID2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr1 = STRING: The MIB for Message Processing and Dispatching
SNMPv2-MIB::sysORDescr2 = STRING: The MIB for Message Processing and Dispatching
SNMPv2-MIB::sysORDescr3 = STRING: The SNMP Management Architecture MIB
SNMPv2-MIB::sysORDescr4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr5 = STRING: The MIB module for managing TCP implementation
## and the output continues ##
删除SNMPv3账户
SNMPv3 账户信息被包含在两个文件之中。删除账户即删除这个文件中的信息即可。
root@server:~# service snmpd stop
root@server:~# vim /var/lib/net-snmp/snmpdconf
## there should be a similar encrypted line that contains information on the user ##
## this line is removed ##
usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL 13616310112 0x945ed3c9708ea5493f53f953b45a4513 13616310122 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /etc/snmp/snmpdconf
## The following line is removed ##
rouser snmpv3user
root@server:~# service snmpd start
防火墙调节(可选)
下面的例子中的防火墙规则可以被用于限制被允许进行SNMP查询的源IP地址。两个IP地址(例如,1921681100/101)被置于白名单中。
root@server:~# iptables -A INPUT -s 1921681100/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -s 1921681101/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -p udp –dport 161 -j DROP
思科交换机和路由器配置SNMPv3
思科交换机和路由器同样支持SNMPv3。下面的例子将创建一个访问控制列表(ACL)限制允许做SNMP查询的源IP地址。但是,这步被跳过了。
设置访问控制列表(ACL)(可选)
## global config mode ##
ip access-list standard SNMP_ACL
permit 1921681100
permit 1921681100
SNMPv3 配置
下面的配置创建一个名为v3Group与认证AuthNoPriv安全级别v3的组。前面定义的可选访问列表也支持设定。
## global config mode ##
## With ACL ##
snmp-server group v3Group v3 auth access SNMP_ACL

## Without ACL ##
snmp-server group v3Group v3 auth
用户v3user被创建并添加在v3Group下。 MD5的密码和AES加密密钥也被定义。
snmp-server user v3user v3Group v3 auth md5 snmpv3pass priv aes 128 snmpv3pass
SNMPv3测试
SNMP用户和相关组可以在Cisco设备中查看。
### privileged EXEC mode ##
show snmp user
User name: v3user
Engine ID:
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: v3Group
任何Linux设备中的snmpwalk的都可以用来验证配置和检查输出。
snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 19216813 -v3
iso36121110 = STRING: "Cisco IOS Software”
Technical Support: >

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zz/12634609.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2023-05-27
下一篇 2023-05-27

发表评论

登录后才能评论

评论列表(0条)

保存