SNMP
SNMP na routeru
Po nainstalování balíčku se SNMP (v Debianu je defaultně Net-SNMP) buč upravíme konfiguráky ručně (/etc/snmp/) nebo spustíme příkaz snmpconf, který nám pomůže vytvořit nové konfiguráky (především snmp.conf a snmpd.conf).
Příklad konfiguráku z AP Kocourkov:
com2sec readonly 0.0.0.0/0 public group MyROSystem v1 paranoid group MyROSystem v2c paranoid group MyROSystem usm paranoid group MyROGroup v1 readonly group MyROGroup v2c readonly group MyROGroup usm readonly group MyRWGroup v1 readwrite group MyRWGroup v2c readwrite group MyRWGroup usm readwrite view all included .1 80 view system included .iso.org.dod.internet.mgmt.mib-2.system access MyROSystem "" any noauth exact system none none access MyROGroup "" any noauth exact all none none access MyRWGroup "" any noauth exact all all none syslocation Kocourkov syscontact Root <harry@hkfree.org>
Příklad konfiguráku z AP Zitnyp:
com2sec paranoid default public group MyROSystem v1 paranoid group MyROSystem v2c paranoid group MyROSystem usm paranoid group MyROGroup v1 readonly group MyROGroup v2c readonly group MyROGroup usm readonly group MyRWGroup v1 readwrite group MyRWGroup v2c readwrite group MyRWGroup usm readwrite view all included .1 80 view system included .iso.org.dod.internet.mgmt.mib-2.system view network included .iso.org.dod.internet.mgmt.mib-2.system view network included .iso.org.dod.internet.mgmt.mib-2.interfaces view network included .iso.org.dod.internet.mgmt.mib-2.ip view network included .iso.org.dod.internet.mgmt.mib-2.icmp view network included .iso.org.dod.internet.mgmt.mib-2.tcp view network included .iso.org.dod.internet.mgmt.mib-2.udp view network included .iso.org.dod.internet.private.enterprises.ucdavis.memory view network included .iso.org.dod.internet.private.enterprises.ucdavis.systemStats view network included .1.3.6.1.3.14614 access MyROSystem "" any noauth exact network none none access MyROGroup "" any noauth exact all none none access MyRWGroup "" any noauth exact all all none syslocation "AP ZITNYP" syscontact "Zitny Petr <zitnyp@hkfree.org>"
Příklad nastavení z virtuálu na pmv:
syslocation webhost machine - pmv syscontact xxx <xxx@hkfree.org> com2sec notConfigUser 10.107.0.0/16 public group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser view roview included .1 view rwview included system.sysContact view rwview included system.sysName view rwview included system.sysLocation view rwview included interfaces.ifTable.ifEntry.ifAdminStatus view rwview included at.atTable.atEntry.atPhysAddress view rwview included at.atTable.atEntry.atNetAddress view rwview included ip.ipForwarding view rwview included ip.ipDefaultTTL view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger view rwview included snmp.snmpEnableAuthenTraps access notConfigGroup "" any noauth exact roview rwview none dontLogTCPWrappersConnects yes
Správné nastavení SNMP agenta zjistíme například pomocí příkazu: (IP adresu upravte podle stroje, na kterém agent běží)
snmpwalk -v 2c -c public IP.AD.RE.SA | grep eth
snmpwalk -v 2c -c public localhost | grep eth
Pokud nám první příkaz vypíše "Timeout: No Response..." a druhý ne, musíme ještě povolit SNMP v /etc/hosts.allow - přidáme řádek
snmpd: ALL
a ještě zkontrolujeme /etc/default/snmpd (odstraníme 127.0.0.1, aby router poslouchal na všech interfacech
# snmpd options (use syslog, close stdin/out/err). SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
Teď už by to mělo vše fungovat. Pro zabezpečení můžeme přístup omezit pouze ze Sojky (10.107.252.101).
SNMP na RouterBOARDu
V menu SNMP dáme přidat (add), zvoléme jméno (standartně "public"), do rozsahu dejte IP Sojky (10.107.252.101), a Read access zaškrtnout. V settings zaškrtneme Enabled, vyplníme e-mail a do Location například jméno AP.