Pages

Install and Configure Net-SNMP v3 on Red Hat Enterprise Linux 4

Today, we are going to install/update Net-SNMP on Red Hat Enterprise Linux 4. We will see how easy it is to disable the vulnerable SNMP v1/v2c and configure user based secure SNMP v3 Agent. You need to perform these steps as root user so login to the host as root now.

To install/update the Net-SNMP,

# up2date -i net-snmp-devel net-snmp-libs net-snmp-utils net-snmp

To stop the Net-SNMP Agent if already running,

# /etc/init.d/snmpd stop

To move the default file where SNMP v3 user's localized authentication and privacy keys are stored,

# mv /var/net-snmp/snmpd.conf /var/net-snmp/snmpd.conf.`date +%F-%H%M%S`

To move the default Net-SNMP configuration file,

# mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.`date +%F-%H%M%S`

Now let's create a Net-SNMP v3 read-only user with MD5 authentication and DES encryption but make sure to replace the xxxxxxxx with your pass phrases and username to whatever name you want to give to your SNMP v3 user,

# net-snmp-config --create-snmpv3-user -ro -A MD5 -a xxxxxxxx -X DES -x xxxxxxxx username

The output will be,

adding the following line to /var/net-snmp/snmpd.conf:
   createUser username MD5 "xxxxxxxx" DES xxxxxxxx
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser username

Somehow the net-snmp-config command didn't put the SNMP v3 username in actual Net-SNMP configuration file /etc/snmp/snmpd.conf instead it added the entry in sample Net-SNMP configuration file /usr/share/snmp/snmpd.conf but Red Hat has fixed this issue in RHEL5 and 6. So, now you need to manually create a file and add the entry in there,

# touch /etc/snmp/snmpd.conf
# echo "rouser username" > /etc/snmp/snmpd.conf

Note: SHA authentication and DES/AES privacy require OpenSSL to be installed but MD5 authentication may be used without OpenSSL. Also, the minimum pass phrase length is 8 characters so make sure to choose two different strong alpha numeric pass phrases one for authentication and other for encryption.

If you don't already have OpenSSL installed then to install OpenSSL,

# up2date -i openssl openssl-devel

To start the Net-SNMP Agent at boot time,

# chkconfig snmpd on

To start the Net-SNMP Agent now,

# /etc/init.d/snmpd start

If the IPtables are enabled then you need to open port UDP/161. It's always good to have a rollback plan just in case anything goes wrong. So let's backup IPtables,

# cp -ap /etc/sysconfig/iptables /etc/sysconfig/iptables.`date +%F-%H%M%S`

To open the port for all computers on the network,

iptables -I RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT

To open the port for a specific IP Address on the network,

iptables -I RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx/255.255.255.255 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT

Note: Make sure to replace the xxx.xxx.xxx.xxx with the IP Address from which you want to poll the information using SNMP v3 credentials and don't confuse with netmask 255.255.255.255. This netmask will make sure only that particular IP Address is allowed not the whole subnet. If you have more than one IP Adress that will be polling the information then the command can be repeated with the other IP Address.

To save the IPtables,

# service iptables save

We have successfully completed the Net-SNMP v3 installation and configuration here on Red Hat Enterprise Linux 4 but now let's use snmpwalk to test if we are able to poll the information correctly,

# snmpwalk -v 3 -u username -l authPriv -a MD5 -A xxxxxxxx -x DES -X xxxxxxxx localhost sysDesc

Where,
    xxxxxxxx are your authentication and encryption pass phrases
    username is your SNMP v3 user name

If this is your Dell Physical Machine and OMSA is installed on RHEL4 then you have an option to poll the hardware events via Net-SNMP v3 and to take advantage of this feature you need to enable the SNMP in OMSA,

# /etc/init.d/dataeng enablesnmp

This should add below line in Net-SNMP configuration file /etc/snmp/snmpd.conf,

smuxpeer .1.3.6.1.4.1.674.10892.1

But if in case you don't see line in /etc/snmp/snmpd.conf then go ahead and add this line manually,

# echo "smuxpeer .1.3.6.1.4.1.674.10892.1" >> /etc/snmp/snmpd.conf

To restart the OMSA services,

# srvadmin-services.sh restart

In most cases srvadmin-services.sh is located at /opt/dell/srvadmin/sbin/srvadmin-services.sh

Now just restart the Net-SNMP Agent and you are done,

# /etc/init.d/snmpd restart

Any feedback will be highly appreciated.

Suggested Posts,

This post appeared on the softlexicon.com by Sumit Goel. Copyright © 2012–2013 – softlexicon.com and Sumit Goel. All rights reserved. Not to be reproduced for commercial purposes without written permission.

No comments:

Post a Comment

Be sure to check back again because I do make every effort to reply to your comments here.