SNMP PoC Setup

tested on debian11

Requirements

in case there’s a firewall

udp/161     manager --> agent
udp/162     agent --> manager

Install - agent

apt install snmpd
# snmptrapd
mv -i /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.dist
grep -vE '^[[:space:]]*(;|#|$)' /etc/snmp/snmpd.conf.dist > /etc/snmp/snmpd.conf.clean
grep -vE '^[[:space:]]*(;|#|$)' /etc/snmp/snmpd.conf.dist > /etc/snmp/snmpd.conf
vi /etc/snmp/snmpd.conf

syslocation some description
syscontact  Your Name <YOUR@EMAIL>

bind to all interfaces

agentaddress    udp:161

keep the views (what you are making available from the agent) and define a quick and dirty ACL (without com2sec)

view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1

rocommunity public snmp-manager -V systemonly

apply

systemctl restart snmpd

Install - manager

apt install snmp snmp-mibs-downloader
#apropos snmp
dpkg -L snmp-mibs-downloader
download-mibs cisco

ls -lF /usr/share/snmp/mibs/

cp -pi /etc/snmp/snmp.conf /etc/snmp/snmp.conf.dist
vi /etc/snmp/snmp.conf

COMMENT OUT

#mibs :

Usage

walk through all the objects

snmpwalk -v1 -c public snmp-agent

grab specific objects

snmpget -v1 -c public snmp-agent DISMAN-EVENT-MIB::sysUpTimeInstance
snmpget -v1 -c public snmp-agent HOST-RESOURCES-MIB::hrSystemUptime.0
snmpget -v1 -c public snmp-agent HOST-RESOURCES-MIB::hrSystemInitialLoadParameters.0
# -Os for short version

ACL acceptance

only the specific snmp-manager host (as defined with static name resolution) should be able to reach the service

Additional notes

com2sec ACLs

not much success with that one (FAIL)

#rocommunity public sec1
#com2sec sec1 10.1.0.0/16 public

mibs

translate OIDs

snmptranslate -Of .1.3.6.1.2.1.1.3.0
snmptranslate .1.3.6.1.2.1.1.3.0

show full entry name

snmptranslate -Of -IR ipAddrTable

v3

draft

snmpwalk: No securityName specified

  -u USER-NAME      set security name (e.g. bert)

  -l LEVEL      set security level (noAuthNoPriv|authNoPriv|authPriv)

layout formats

snmpget -v1 -c public snmp-agent ipAddrTable

as a tree

snmptranslate -Tp -IR ipAddrTable
snmptranslate -Tp -IR system

as a table

snmptable -v2c -c public snmp-agent ipAddrTable

junpier

grab the temperature on Juniper SRX

snmpget -v2c -c PASSWORD @ip-device .1.3.6.1.4.1.2636.3.1.13.1.7

Resources

troubles

https://askubuntu.com/questions/346165/how-to-make-snmp-agent-accept-connections-from-other-hosts-in-the-network ==> quick & dirty ACL

https://unix.stackexchange.com/questions/268959/how-to-properly-configure-snmpd

https://enterprise-support.nvidia.com/s/article/howto-enable-snmp-server--snmpd--on-linux

https://fasthandle.net/os/linux/set/etc/etc_snmp_snmpd.conf


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun