Configure authenticated snmpv3 service using net-snmp|
Posted April 1, 2009
Monitor your network traffic (and other stuff) with cacti. Use snmpv3 authentication and privacy so nobody else can monitor your network traffic or otherwise take advantage of your snmp service.
sudo apt-get install snmpd
Disable all "com2sec" (unauthenticated snmpv2c) permissions and all "access ... noauth" permissions.
sudo perl -pi~ -e 's/^(com2sec|access.*noauth)/#$1/' /etc/snmp/snmpd.conf
Listen for snmp queries on all interfaces.
sudo perl -pi~ -e 's/127.0.0.1/0.0.0.0/ if /^SNMPDOPTS=/' /etc/default/snmpd
Choose a username for cacti (or whatever is monitoring your snmp agent).
theusername=`head -c 1200 /dev/urandom | md5sum | head -c 8` echo $theusername 0edd3da6
Create an illegible password. You might need to "sudo apt-get install metamail" in order to use this particular method of generating passwords. Note that cacti will silently truncate your password if it's too long. Don't make it too long.
thepassword=`head -c 12 /dev/urandom | mimencode` echo $thepassword ZnVW0SfAV5+EG9DZ
Shut down snmpd. Yes, you really do need to do this in order for the following command to work.
sudo /etc/init.d/snmpd stop
Create a read-only snmpv3 user with the given password.
sudo net-snmp-config --create-snmpv3-user -ro <<EOF $theusername $thepassword $thepassword EOF Enter a SNMPv3 user name to create: Enter authentication pass-phrase: Enter encryption pass-phrase: [press return to reuse the authentication pass-phrase] adding the following line to /var/lib/snmp/snmpd.conf: createUser 0edd3da6 MD5 "ZnVW0SfAV5+EG9DZ" DES adding the following line to /usr/share/snmp/snmpd.conf: rouser 0edd3da6
Start snmpd. Yes, this really does help.
sudo /etc/init.d/snmpd start
Try authenticating yourself and reading some stuff.
snmpwalk -v 3 -n '' -l authPriv -u "$theusername" -A "$thepassword" -X "$thepassword" localhost IF-MIB::ifName IF-MIB::ifName.1 = STRING: lo IF-MIB::ifName.2 = STRING: eth0 IF-MIB::ifName.3 = STRING: sit0
Make sure unauthenticated snmpv2c doesn't do anything.
snmpwalk -v 2c -c public localhost IF-MIB::ifName Timeout: No Response from localhost
It should now be sort of safe to allow traffic to udp port 161 on your system.
Tell cacti to use snmpv3. Tell it to use $theusername as a username. Give it $thepassword for the authentication and privacy password fields.