tomclegg.net


Diary
Examples
    256-router
    adzap
    apache-double-reverse
    cacti-adodb-php4
    debian-quota
    diskonmodule
    dollarsperbyte
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    macbook-quantal-sound
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    nodefaultroute
    oracle9i
    oracle9i-bsd5
    oracle9i-client
    oracle9i-nat
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    pizzaperdollar
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
    racoon-sonicwall
    redundant-vpn
    rewriterule
    seahorse-workaround
    setting-locale-failed
    smalldog
  >snmpv3-cacti<
    spamassassin
    squid-tproxy
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    switch-virtualbox-virsh
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen-monowall
    xen3-ubuntu-dapper
    zz-update-grub-fail
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
google-earth-saucy-amd64
houserules
liberating
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

Configure authenticated snmpv3 service using net-snmp
Posted April 1, 2009

Monitor your network traffic (and other stuff) with cacti. Use snmpv3 authentication and privacy so nobody else can monitor your network traffic or otherwise take advantage of your snmp service.

Server side

Install snmpd.

sudo apt-get install snmpd

Disable all "com2sec" (unauthenticated snmpv2c) permissions and all "access ... noauth" permissions.

sudo perl -pi~ -e 's/^(com2sec|access.*noauth)/#$1/' /etc/snmp/snmpd.conf

Listen for snmp queries on all interfaces.

sudo perl -pi~ -e 's/127.0.0.1/0.0.0.0/ if /^SNMPDOPTS=/' /etc/default/snmpd

Choose a username for cacti (or whatever is monitoring your snmp agent).

theusername=`head -c 1200 /dev/urandom | md5sum | head -c 8`
echo $theusername
0edd3da6

Create an illegible password. You might need to "sudo apt-get install metamail" in order to use this particular method of generating passwords. Note that cacti will silently truncate your password if it's too long. Don't make it too long.

thepassword=`head -c 12 /dev/urandom | mimencode`
echo $thepassword
ZnVW0SfAV5+EG9DZ

Shut down snmpd. Yes, you really do need to do this in order for the following command to work.

sudo /etc/init.d/snmpd stop

Create a read-only snmpv3 user with the given password.

sudo net-snmp-config --create-snmpv3-user -ro <<EOF
$theusername
$thepassword
$thepassword
EOF
Enter a SNMPv3 user name to create: 
Enter authentication pass-phrase: 
Enter encryption pass-phrase: 
  [press return to reuse the authentication pass-phrase]
adding the following line to /var/lib/snmp/snmpd.conf:
   createUser 0edd3da6 MD5 "ZnVW0SfAV5+EG9DZ" DES
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser 0edd3da6

Start snmpd. Yes, this really does help.

sudo /etc/init.d/snmpd start

Try authenticating yourself and reading some stuff.

snmpwalk -v 3 -n '' -l authPriv -u "$theusername" -A "$thepassword" -X "$thepassword" localhost IF-MIB::ifName
IF-MIB::ifName.1 = STRING: lo
IF-MIB::ifName.2 = STRING: eth0
IF-MIB::ifName.3 = STRING: sit0

Make sure unauthenticated snmpv2c doesn't do anything.

snmpwalk -v 2c -c public localhost IF-MIB::ifName
Timeout: No Response from localhost

It should now be sort of safe to allow traffic to udp port 161 on your system.

Client side

Tell cacti to use snmpv3. Tell it to use $theusername as a username. Give it $thepassword for the authentication and privacy password fields.