SNMP: Porovnání verzí

Z HKfree wiki
Skočit na navigaci Skočit na vyhledávání
m
Řádek 59: Řádek 59:
 
  syslocation "AP ZITNYP"
 
  syslocation "AP ZITNYP"
 
  syscontact "Zitny Petr <zitnyp@hkfree.org>"
 
  syscontact "Zitny Petr <zitnyp@hkfree.org>"
 +
 +
Příklad nastavení z virtuálu na pmv:
 +
 +
syslocation webhost machine - pmv
 +
syscontact xxx <xxx@hkfree.org>
 +
com2sec notConfigUser  10.107.0.0/16        public
 +
group  notConfigGroup  v1              notConfigUser
 +
group  notConfigGroup  v2c            notConfigUser
 +
view    roview          included        .1
 +
view    rwview          included        system.sysContact
 +
view    rwview          included        system.sysName
 +
view    rwview          included        system.sysLocation
 +
view    rwview          included        interfaces.ifTable.ifEntry.ifAdminStatus
 +
view    rwview          included        at.atTable.atEntry.atPhysAddress
 +
view    rwview          included        at.atTable.atEntry.atNetAddress
 +
view    rwview          included        ip.ipForwarding
 +
view    rwview          included        ip.ipDefaultTTL
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteDest
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteType
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteAge
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMask
 +
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
 +
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
 +
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
 +
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
 +
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
 +
view    rwview          included        tcp.tcpConnTable.tcpConnEntry.tcpConnState
 +
view    rwview          included        egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
 +
view    rwview          included        snmp.snmpEnableAuthenTraps
 +
access  notConfigGroup ""      any      noauth    exact  roview rwview none
 +
dontLogTCPWrappersConnects yes
 +
  
 
Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží)
 
Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží)

Verze z 30. 5. 2014, 18:09

SNMP na routeru

Po nainstalování balíčku se SNMP (v Debianu je defaultně Net-SNMP) buč upravíme konfiguráky ručně (/etc/snmp/) nebo spustíme příkaz snmpconf, který nám pomůže vytvořit nové konfiguráky (především snmp.conf a snmpd.conf).

Příklad konfiguráku z AP Kocourkov:

com2sec readonly  0.0.0.0/0       public

group MyROSystem v1        paranoid
group MyROSystem v2c       paranoid
group MyROSystem usm       paranoid
group MyROGroup v1         readonly
group MyROGroup v2c        readonly
group MyROGroup usm        readonly
group MyRWGroup v1         readwrite
group MyRWGroup v2c        readwrite
group MyRWGroup usm        readwrite

view all    included  .1                               80
view system included  .iso.org.dod.internet.mgmt.mib-2.system

access MyROSystem ""     any       noauth    exact  system none   none
access MyROGroup ""      any       noauth    exact  all    none   none
access MyRWGroup ""      any       noauth    exact  all    all    none

syslocation Kocourkov
syscontact Root <harry@hkfree.org>

Příklad konfiguráku z AP Zitnyp:

com2sec paranoid  default         public

group MyROSystem v1        paranoid
group MyROSystem v2c       paranoid
group MyROSystem usm       paranoid
group MyROGroup v1         readonly
group MyROGroup v2c        readonly
group MyROGroup usm        readonly
group MyRWGroup v1         readwrite
group MyRWGroup v2c        readwrite
group MyRWGroup usm        readwrite

view all    included  .1                               80
view system included  .iso.org.dod.internet.mgmt.mib-2.system

view network included .iso.org.dod.internet.mgmt.mib-2.system
view network included .iso.org.dod.internet.mgmt.mib-2.interfaces
view network included .iso.org.dod.internet.mgmt.mib-2.ip
view network included .iso.org.dod.internet.mgmt.mib-2.icmp
view network included .iso.org.dod.internet.mgmt.mib-2.tcp
view network included .iso.org.dod.internet.mgmt.mib-2.udp
view network included .iso.org.dod.internet.private.enterprises.ucdavis.memory
view network included .iso.org.dod.internet.private.enterprises.ucdavis.systemStats
view network included  .1.3.6.1.3.14614

access MyROSystem ""     any       noauth    exact  network none   none
access MyROGroup ""      any       noauth    exact  all    none   none
access MyRWGroup ""      any       noauth    exact  all    all    none

syslocation "AP ZITNYP"
syscontact "Zitny Petr <zitnyp@hkfree.org>"

Příklad nastavení z virtuálu na pmv:

syslocation webhost machine - pmv
syscontact xxx <xxx@hkfree.org>
com2sec notConfigUser   10.107.0.0/16         public
group   notConfigGroup  v1              notConfigUser
group   notConfigGroup  v2c             notConfigUser
view    roview          included        .1
view    rwview          included        system.sysContact
view    rwview          included        system.sysName
view    rwview          included        system.sysLocation
view    rwview          included        interfaces.ifTable.ifEntry.ifAdminStatus
view    rwview          included        at.atTable.atEntry.atPhysAddress
view    rwview          included        at.atTable.atEntry.atNetAddress 
view    rwview          included        ip.ipForwarding
view    rwview          included        ip.ipDefaultTTL
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteDest
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteType
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteAge
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMask
view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
view    rwview          included        tcp.tcpConnTable.tcpConnEntry.tcpConnState
view    rwview          included        egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
view    rwview          included        snmp.snmpEnableAuthenTraps
access  notConfigGroup ""      any       noauth    exact  roview rwview none
dontLogTCPWrappersConnects yes


Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží)

snmpwalk -v 2c -c public IP.AD.RE.SA | grep eth
snmpwalk -v 2c -c public localhost | grep eth

Pokud nám první příkaz vypíše "Timeout: No Response..." a druhý ne, musíme ještě povolit SNMP v /etc/hosts.allow - přidáme řádek

snmpd: ALL

a ještě zkontrolujeme /etc/default/snmpd (odstraníme 127.0.0.1, aby router poslouchal na všech interfacech

# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

Teď už by to mělo vše fungovat. Pro zabezpečení můžeme přístup omezit pouze ze Sojky (10.107.252.101).

SNMP na RouterBOARDu

V menu SNMP dáme přidat (add), zvoléme jméno (standartně "public"), do rozsahu dejte IP Sojky (10.107.252.101), a Read access zaškrtnout. V settings zaškrtneme Enabled, vyplníme e-mail a do Location například jméno AP.