SNMP: Porovnání verzí
(Nejsou zobrazeny 2 mezilehlé verze od 2 dalších uživatelů.) | |||
Řádek 17: | Řádek 17: | ||
view all included .1 80 | view all included .1 80 | ||
− | |||
access MyROSystem "" any noauth exact system none none | access MyROSystem "" any noauth exact system none none | ||
Řádek 24: | Řádek 23: | ||
syslocation Kocourkov | syslocation Kocourkov | ||
− | syscontact Root < | + | syscontact Root <kocourkov@hkfree.org> |
Příklad konfiguráku z AP Zitnyp: | Příklad konfiguráku z AP Zitnyp: | ||
Řádek 59: | Řádek 58: | ||
syslocation "AP ZITNYP" | syslocation "AP ZITNYP" | ||
syscontact "Zitny Petr <zitnyp@hkfree.org>" | syscontact "Zitny Petr <zitnyp@hkfree.org>" | ||
+ | |||
+ | Příklad nastavení z virtuálu na pmv: | ||
+ | |||
+ | syslocation webhost machine - pmv | ||
+ | syscontact xxx <xxx@hkfree.org> | ||
+ | com2sec notConfigUser 10.107.0.0/16 public | ||
+ | group notConfigGroup v1 notConfigUser | ||
+ | group notConfigGroup v2c notConfigUser | ||
+ | view roview included .1 | ||
+ | view rwview included system.sysContact | ||
+ | view rwview included system.sysName | ||
+ | view rwview included system.sysLocation | ||
+ | view rwview included interfaces.ifTable.ifEntry.ifAdminStatus | ||
+ | view rwview included at.atTable.atEntry.atPhysAddress | ||
+ | view rwview included at.atTable.atEntry.atNetAddress | ||
+ | view rwview included ip.ipForwarding | ||
+ | view rwview included ip.ipDefaultTTL | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask | ||
+ | view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 | ||
+ | view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex | ||
+ | view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress | ||
+ | view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress | ||
+ | view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType | ||
+ | view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState | ||
+ | view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger | ||
+ | view rwview included snmp.snmpEnableAuthenTraps | ||
+ | access notConfigGroup "" any noauth exact roview rwview none | ||
+ | dontLogTCPWrappersConnects yes | ||
+ | |||
Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží) | Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží) | ||
− | snmpwalk -v 2c -c public | + | snmpwalk -v 2c -c public IP.AD.RE.SA | grep eth |
snmpwalk -v 2c -c public localhost | grep eth | snmpwalk -v 2c -c public localhost | grep eth | ||
Řádek 75: | Řádek 111: | ||
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1' | SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1' | ||
− | + | Teď už by to mělo vše fungovat. Pro zabezpečení můžeme přístup omezit pouze ze Sojky (10.107.252.101). | |
== SNMP na RouterBOARDu == | == SNMP na RouterBOARDu == | ||
V menu '''SNMP''' dáme přidat (add), zvoléme jméno (standartně "public"), do rozsahu dejte IP Sojky (10.107.252.101), a '''Read access''' zaškrtnout. V settings zaškrtneme '''Enabled''', vyplníme e-mail a do Location například jméno AP. | V menu '''SNMP''' dáme přidat (add), zvoléme jméno (standartně "public"), do rozsahu dejte IP Sojky (10.107.252.101), a '''Read access''' zaškrtnout. V settings zaškrtneme '''Enabled''', vyplníme e-mail a do Location například jméno AP. |
Aktuální verze z 11. 2. 2019, 12:53
SNMP na routeru
Po nainstalování balíčku se SNMP (v Debianu je defaultně Net-SNMP) buč upravíme konfiguráky ručně (/etc/snmp/) nebo spustíme příkaz snmpconf, který nám pomůže vytvořit nové konfiguráky (především snmp.conf a snmpd.conf).
Příklad konfiguráku z AP Kocourkov:
com2sec readonly 0.0.0.0/0 public group MyROSystem v1 paranoid group MyROSystem v2c paranoid group MyROSystem usm paranoid group MyROGroup v1 readonly group MyROGroup v2c readonly group MyROGroup usm readonly group MyRWGroup v1 readwrite group MyRWGroup v2c readwrite group MyRWGroup usm readwrite view all included .1 80 access MyROSystem "" any noauth exact system none none access MyROGroup "" any noauth exact all none none access MyRWGroup "" any noauth exact all all none syslocation Kocourkov syscontact Root <kocourkov@hkfree.org>
Příklad konfiguráku z AP Zitnyp:
com2sec paranoid default public group MyROSystem v1 paranoid group MyROSystem v2c paranoid group MyROSystem usm paranoid group MyROGroup v1 readonly group MyROGroup v2c readonly group MyROGroup usm readonly group MyRWGroup v1 readwrite group MyRWGroup v2c readwrite group MyRWGroup usm readwrite view all included .1 80 view system included .iso.org.dod.internet.mgmt.mib-2.system view network included .iso.org.dod.internet.mgmt.mib-2.system view network included .iso.org.dod.internet.mgmt.mib-2.interfaces view network included .iso.org.dod.internet.mgmt.mib-2.ip view network included .iso.org.dod.internet.mgmt.mib-2.icmp view network included .iso.org.dod.internet.mgmt.mib-2.tcp view network included .iso.org.dod.internet.mgmt.mib-2.udp view network included .iso.org.dod.internet.private.enterprises.ucdavis.memory view network included .iso.org.dod.internet.private.enterprises.ucdavis.systemStats view network included .1.3.6.1.3.14614 access MyROSystem "" any noauth exact network none none access MyROGroup "" any noauth exact all none none access MyRWGroup "" any noauth exact all all none syslocation "AP ZITNYP" syscontact "Zitny Petr <zitnyp@hkfree.org>"
Příklad nastavení z virtuálu na pmv:
syslocation webhost machine - pmv syscontact xxx <xxx@hkfree.org> com2sec notConfigUser 10.107.0.0/16 public group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser view roview included .1 view rwview included system.sysContact view rwview included system.sysName view rwview included system.sysLocation view rwview included interfaces.ifTable.ifEntry.ifAdminStatus view rwview included at.atTable.atEntry.atPhysAddress view rwview included at.atTable.atEntry.atNetAddress view rwview included ip.ipForwarding view rwview included ip.ipDefaultTTL view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger view rwview included snmp.snmpEnableAuthenTraps access notConfigGroup "" any noauth exact roview rwview none dontLogTCPWrappersConnects yes
Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží)
snmpwalk -v 2c -c public IP.AD.RE.SA | grep eth
snmpwalk -v 2c -c public localhost | grep eth
Pokud nám první příkaz vypíše "Timeout: No Response..." a druhý ne, musíme ještě povolit SNMP v /etc/hosts.allow - přidáme řádek
snmpd: ALL
a ještě zkontrolujeme /etc/default/snmpd (odstraníme 127.0.0.1, aby router poslouchal na všech interfacech
# snmpd options (use syslog, close stdin/out/err). SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
Teď už by to mělo vše fungovat. Pro zabezpečení můžeme přístup omezit pouze ze Sojky (10.107.252.101).
SNMP na RouterBOARDu
V menu SNMP dáme přidat (add), zvoléme jméno (standartně "public"), do rozsahu dejte IP Sojky (10.107.252.101), a Read access zaškrtnout. V settings zaškrtneme Enabled, vyplníme e-mail a do Location například jméno AP.