How to properly configure snmpd?

Question

I installed snmp on CentOS 7.2, like so:

yum -y install net-snmp net-snmp-utils

I made a backup of my snmpd.conf file:

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

then I cleared the text, with this:

echo "" > /etc/snmp/snmpd.conf

and added to the snmpd.conf, the following:

rocommunity "#random$" monitoring_server_ip

The monitoring_server_ip is the server that that is allowed to connect to this snmpd server.

Restarted snmpd

/bin/systemctl restart snmpd

When I run snmpwalk on my CentOS 7.2 server

snmpwalk -v2c -c public localhost system

I then get:

Timeout: No Response from localhost

Which is accurate, because there is only one IP-adres that can do that, as we have defined before.

ps shows that snmp is running

/usr/sbin/snmpd -LS0-6d -f

This is my first time playing with snmp and any help is greatly appreciated!

output of iptables -L -n | grep udp shows this:

...
Chain IN_public_allow (1 references)
   94  target     prot opt source               destination
   95  ACCEPT     udp  --  XX.XXX.XXX.XXX        0.0.0.0/0            udp dpt:161 ctstate NEW
...

All of the destination was too 0.0.0.0/0?

Netstat shows the following port:

 netstat -ulnp | grep 161
udp        0      0 0.0.0.0:161             0.0.0.0:*                           19062/snmpd

also this:

netstat -lu | grep snmp
udp        0      0 0.0.0.0:snmp            0.0.0.0:*

Also, in my firewall, added that only one IP-adres can access my snmp server:

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="XX.XXX.XXX.XX" port protocol="udp" port="161" accept"

Rui F Ribeiro · Accepted Answer · 2016-03-15T11:22:40.180

4

The com2sec security model is not mandatory anymore.

In snmpd.conf it should be enough to do:

rocommunity "#randomsometinh$"  2.2.2.2

where 2.2.2.2 is the monitoring IP address allowed to connect. I often prefer to assign a single IP, than giving access to a whole /24. So this configuration means the SNMP service will answer requests from the 2.2.2.2 address.

You might also have to comment the line that restricts the snmpd daemon to the localhost for security reasons.

# agentAddress  udp:127.0.0.1:161

After changing the configuration file, do:

service restart snmpd

To confirm if it is listening locally:

$ netstat -lu | grep snmp
udp        0      0 *:snmp                  *:*

And from the allowed network/IP, for walking the entire MIB tree. Assuming 2.2.2.1 is the machine being monitored:

snmpwalk -c "#randomsometinh$" -v2c 2.2.2.1

or for asking for the sysUpTime OID:

snmpwalk -c "#randomsometinh$" -v2c 2.2.2.1 1.3.6.1.2.1.1.3
snmpget -c #randomsometinh$ -v2c 2.2.2.1 1.3.6.1.2.1.1.3.0

snmpget has to have the 0 for the specific object instance/index.

P.S: 2.2.2.2 is the monitoring server, and 2.2.2.1 is the snmpd server/host to be monitored.

edited Mar 15 '16 at 11:22

answered Mar 10 '16 at 16:10

Rui F Ribeiro

55,929
26
146
227

HoI! Sorry for the late reply! But I can't find the `agentAddress ` in `snmpd.conf`. Its not there: `cat /etc/snmp/snmpd.conf | grep agentAddress` This displays nothing! – blade19899 Mar 11 '16 at 08:06
Which it is not necessarily bad. It was added by some distributions as an additional step of security. Adding the rocommunity are you able to use it? – Rui F Ribeiro Mar 11 '16 at 09:20
2

When I use the `snmpwalk` command, I get an output that's `5821` lines. I have no idea if that's a good thing! – blade19899 Mar 11 '16 at 09:34
1

Yes, snmpwak is supposed to walk the MIB tree without additional arguments...you can try getting a specific OID or using `snmpget`. So it is working. – Rui F Ribeiro Mar 11 '16 at 09:35
I replaced the `nmpwalk` with `snmpget`, but I then get: `Missing object name`! – blade19899 Mar 11 '16 at 09:42
Okay, I know that OID is an `Object identifier`, and that site you linked at, I'm not sure what to do with that? – blade19899 Mar 11 '16 at 10:01
It is just to justify where 1.3.6.1.2.1.1.3 comes from. I updated the answer with the commands. – Rui F Ribeiro Mar 11 '16 at 10:02
Okay, I get the following after that: `DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (370395) 1:01:43.95` – blade19899 Mar 11 '16 at 10:07
So it is working, that is the machine uptime-. – Rui F Ribeiro Mar 11 '16 at 10:23
Awesome! Just one thing that needs to get done. I need to only allow one IP-adress, to connect to the snmp server! I need to add this: `agentAddress udp:**allowed_ip-adress**`, right? – blade19899 Mar 11 '16 at 11:23
On my `snmpd.conf` the `2.2.2.2` part is where I had put the server IP adres where snmp is installed on. `rocommunity #randomsometinh$ IP-adres_of_snmp_server`. So, I edit that, replace the curent snmp server IP-adres, with the IP-adres of the machine, that is going to connect to the SNMP server? – blade19899 Mar 11 '16 at 13:12
Edited it again the post for clarity. – Rui F Ribeiro Mar 11 '16 at 13:31
`Timeout: No Response from ...` the monitoring server or the snmp server: `2.2.2.2`/`2.2.2.1`? – blade19899 Mar 11 '16 at 15:15
on snmpd.conf after the rocommunity is the IP of the monitoring server. – Rui F Ribeiro Mar 11 '16 at 15:17
`rocommunity #snmp2016ABC$ monitoring_ip_adres` – blade19899 Mar 11 '16 at 15:24
yes, the IP address of the server where you run snmget/walk – Rui F Ribeiro Mar 11 '16 at 15:29
The iP-adres of the server where snmp is installed, is what I use to run snmget, and also the ip of the guy that is gonna monitor that server, and both IP adresses I get: `Timeout: No Response from ...` internal and an external IP? – blade19899 Mar 11 '16 at 15:35
Could it that the ip-adres in the snmpd conf file, is the only ip-adres that can now test it? – blade19899 Mar 11 '16 at 15:35
My `snmpd.conf` is has nothing else in it – blade19899 Mar 11 '16 at 15:39
exactly. As soon you put there the address *and restart the service* you will be only able to test *from that IP address* as the configuration means "I will only answer requests coming from that IP address* – Rui F Ribeiro Mar 11 '16 at 16:08
Thanks! Than I'll wait their reply, to see if everything is working properly. – blade19899 Mar 11 '16 at 16:12
Have a nice weekend! – blade19899 Mar 11 '16 at 16:12
Unfortunately they can't seem to connect to the snmp server. I also - with the `firewall` command - made a rule to disallow, every ip's connection to `udp` port `161`. Other then that, Its the same. Like so: http://serverfault.com/a/684603/114962 – blade19899 Mar 14 '16 at 11:19
How about the corporate firewall? Please display the output of `netstat -lu | grep snmp` – Rui F Ribeiro Mar 14 '16 at 11:20
`udp 0 0 0.0.0.0:snmp 0.0.0.0:*` – blade19899 Mar 14 '16 at 11:22
It is listening indeed. What about tests of your network team? Add to the post `iptables -L -n` please – Rui F Ribeiro Mar 14 '16 at 11:25
Edited my question – blade19899 Mar 14 '16 at 11:33
only state NEW in iptables is not enough, unless you have something else on iptables...try to test it out with no states first – Rui F Ribeiro Mar 14 '16 at 12:19
How do I do that? – blade19899 Mar 14 '16 at 12:21
would you give me the relevant iptables rule? How did you create it? – Rui F Ribeiro Mar 14 '16 at 12:22
I'll edit my question whit everything I've done so far – blade19899 Mar 14 '16 at 12:24
I have Edited my Q – blade19899 Mar 14 '16 at 12:32
all seems ok.... add another line rocommunity with an IP address you control....for testing. – Rui F Ribeiro Mar 14 '16 at 17:41
1

My apologize. It was users error. they got it to work. Also, I read in a doc, that every special character, should be in single quotes in de snmpd.conf `'#randomsometinh$'`. Thanks for your help. – blade19899 Mar 15 '16 at 10:55
The ' part makes some sense. I try to avoid using special characters as to avoid potential problems with some device. Good to know everything is working. cheers. – Rui F Ribeiro Mar 15 '16 at 11:23

How to properly configure snmpd?

1 Answers1

Linked