yum install net-snmp net-snmp-utils
我以为这样就可以了,然后开始满世界的找SNMP配置文件的Sample样例,可是,找来找去无非就是两个结果,要么全部是V1或者V2c协议的配置,要么是涉及V3,但是不适合于CentOS5.2的,我所说的不适于,是因为那些文章要么采用SUSE,所指示的配置文件位置和CentOS5.2不怎么一致,再加上我对CentOS5.2下面到底除了/etc/snmp/snmpd.conf,还有一个snmpd在哪里始终找不到,后来。locate忘记updatedb了,终于找到了,在/usr/share/snmp/snmpd.conf下面,基本上可以按照这个SUSE的方案来做了,不过后来看到有个net-snmp-config,我怎么找都找不到,网上一查,说这个tool只在net-snmp的dev才有,我一yum,发现这个更新和依赖加起来有2.8MB,算了,直接到网上down了这个net-snmp-config,一看是个shell脚本,更加有喜感了,大家可以点击这里下载,非常小
net-snmp-config|net-snmp-config配置工具,文件放在Dropbox,不能下载请翻土啬| 123456789 | servicesnmpd stopchmod 777net-snmp-config./net-snmp-config--create-snmpv3-user-ro-amypass -AMD5 myname#注意上面一句,-a是密码,而用户名跟在最后面,-A是密码加密方式,#很多垃圾站的文章都把大a和小A搞反了#因为,在snmpwalk测试的时候,-a表示加密方式,-A是密码,所以这一点很重要#我也是看了他自己的帮助文档才发现这个错误的,折腾死我了service snmpd startsnmpwalk-v3-umyname -lauth -aMD5 -Amypass 127.0.0.1if |
如果能够返回信息
IF-MIB::ifIndex.1 = INTEGER: 1IF-MIB::ifIndex.2 = INTEGER: 2IF-MIB::ifDescr.1 = STRING: loIF-MIB::ifDescr.2 = STRING: eth0IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)IF-MIB::ifMtu.1 = INTEGER: 16436IF-MIB::ifMtu.2 = INTEGER: 1500IF-MIB::ifSpeed.1 = Gauge32: 10000000IF-MIB::ifSpeed.2 = Gauge32: 100000000IF-MIB::ifPhysAddress.1 = STRING:IF-MIB::ifPhysAddress.2 = STRING: 0:15:58:de:27:a3IF-MIB::ifAdminStatus.1 = INTEGER: up(1)IF-MIB::ifAdminStatus.2 = INTEGER: up(1)IF-MIB::ifOperStatus.1 = INTEGER: up(1)IF-MIB::ifOperStatus.2 = INTEGER: up(1)IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00IF-MIB::ifInOctets.1 = Counter32: 1036102784IF-MIB::ifInOctets.2 = Counter32: 1896546331IF-MIB::ifInUcastPkts.1 = Counter32: 6733501IF-MIB::ifInUcastPkts.2 = Counter32: 260564072IF-MIB::ifInNUcastPkts.1 = Counter32: 0IF-MIB::ifInNUcastPkts.2 = Counter32: 57224IF-MIB::ifInDiscards.1 = Counter32: 0IF-MIB::ifInDiscards.2 = Counter32: 0IF-MIB::ifInErrors.1 = Counter32: 0IF-MIB::ifInErrors.2 = Counter32: 0IF-MIB::ifInUnknownPRotos.1 = Counter32: 0IF-MIB::ifInUnknownProtos.2 = Counter32: 0IF-MIB::ifOutOctets.1 = Counter32: 1036102784IF-MIB::ifOutOctets.2 = Counter32: 3196067597IF-MIB::ifOutUcastPkts.1 = Counter32: 6733501IF-MIB::ifOutUcastPkts.2 = Counter32: 405123923IF-MIB::ifOutNUcastPkts.1 = Counter32: 0IF-MIB::ifOutNUcastPkts.2 = Counter32: 0IF-MIB::ifOutDiscards.1 = Counter32: 0IF-MIB::ifOutDiscards.2 = Counter32: 0IF-MIB::ifOutErrors.1 = Counter32: 0IF-MIB::ifOutErrors.2 = Counter32: 0IF-MIB::ifOutQLen.1 = Gauge32: 0IF-MIB::ifOutQLen.2 = Gauge32: 0IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZeroIF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero
就表示OK了!其中,-ro表示只读用户组,可以采集信息,但是不能更改系统设置我创建用户的时候没有没有设定privpass,是为了简化过程,如果要创建带privpass验证,而且这个privpass也可以选择不同于密码的加密方式,比如,我密码采用MD5加密,而privpass采用AES加密,增加破解难度,那么可以这样写
net-snmp-config:--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES][-A MD5|SHA] [username]
snmpwalk:V3验证常用参数-v 1|2c|3 specifies SNMP version to use-u USER-NAME set security name (e.g. bert)-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)-a PROTOCOL set authentication protocol (MD5|SHA)-A PASSPHRASE set authentication protocol pass phrase-x PROTOCOL set privacy protocol (DES|AES)-X PASSPHRASE set privacy protocol pass phraseV2c/V1验证常用-c COMMUNITY set the community string
认证:检验信息来自正确的来源。封包加密:避免被未授权的来源窥探。SNMPv1,v2使用基于团体名进行报文认证SNMPv3中引入了下列三个安全级别。noAuthNoPriv:不需要认证,不提供隐私性(加密)。authNoPriv:基于HMAC-MD5或HMAC-SHA的认证,不提供加密。authPriv:除了认证之外,还将CBC-DES或者AES加密算法用作隐私性协议,对pdu数据进行加密。Shell/net-snmp-config--create-snmpv3-user-ro-amypass -AMD5 -xmyprivpass -XDES myname#snmpwalk要这样写snmpwalk-v3-umyname -lauthPriv -aMD5 -Amypass -xDES -Xmyprivpass 127.0.0.1if命令执行之后将自动建立新的配置文件snmpd.conf,而内容也十分简单。只有用户名和权限,而关于认证方式的信息则会存储在/var/net-snmp/snmpd.conf文件中。
Shell| 1 | cat/var/net-snmp/snmpd.conf |
接下来的事情,就是就是开放指定IP访问161的UDP端口
Shell| 12 | iptables-AINPUT -ieth0 -pudp -sX.X.X.X--dport161 -jACCEPTiptables -AINPUT -ieth0 -pudp -sX.X.X.X--dport161 -jACCEPT |
具体可以参见我的这篇文章iptables,纠结的顺序
[text]
################################################################################# snmpd.conf:# An example configuration file for configuring the ucd-snmp snmpd agent.# the v2c By ihipop.gicp.net ihipop@Gmail.com################################################################################ 指定端口##agentaddress 1161
################################################################################ access Control###############################################################################
##### First, map the community name "public" into a "security name"
# sec.name source communitycom2sec notConfigUser 127.0.0.1 publiccom2sec notConfigUser xxxx.xxxx.xxx.xxxx publiccom2sec notConfigUser xxxx.xxxx.xxxxx.xxxx public
##### Second, map the security name into a group name:
# groupName securityModel securityNamegroup notConfigGroup v1 notConfigUsergroup notConfigGroup v2c notConfigUser
##### Third, create a view for us to let the group have rights to:
# Make at least snmpwalk -v 1 localhost -c public system fast again.# name incl/excl subtree mask(optional)view systemview included .1.3.6.1.2.1.1view systemview included .1.3.6.1.2.1.25.1.1
##### Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notifaccess notConfigGroup "" any noauth exact all none none#本来上面的read字段对应的是systemview,改成all了# -----------------------------------------------------------------------------
# Here is a commented out example configuration that allows less# restrictive access.
# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWord ONLY# KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
## sec.name source community#com2sec local localhost COMMUNITY#com2sec mynetwork NETWORK/24 COMMUNITY
## group.name sec.model sec.name#group MyRWGroup any local#group MyROGroup any mynetwork##group MyRWGroup any otherv3user#...
## incl/excl subtree maskview all included .1 80#上面的#去掉了,也就是,从这行往下就没动,以后慢慢写注释## -or just the mib2 tree-
#view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
## context sec.model sec.level prefix read write notif#access MyROGroup "" any noauth 0 all none none#access MyRWGroup "" any noauth 0 all all all
################################################################################ Sample configuration to make net-snmpd RFC 1213.# Unfortunately v1 and v2c don't allow any user based authentification, so# opening up the default config is not an option from a security point.## WARNING: If you uncomment the following lines you allow write access to your# snmpd daemon from any source! To avoid this use different names for your# community or split out the write access to a different community and# restrict it to your local network.# Also remember to comment the syslocation and syscontact parameters later as# otherwise they are still read only (see FAQ for net-snmp).#
# First, map the community name "public" into a "security name"# sec.name source community#com2sec notConfigUser default public
# Second, map the security name into a group name:# groupName securityModel securityName#group notConfigGroup v1 notConfigUser#group notConfigGroup v2c notConfigUser
# Third, create a view for us to let the group have rights to:# Open up the whole tree for ro, make the RFC 1213 required ones rw.# name incl/excl subtree mask(optional)#view roview included .1#view rwview included system.sysContact#view rwview included system.sysName#view rwview included system.sysLocation#view rwview included interfaces.ifTable.ifEntry.ifAdminStatus#view rwview included at.atTable.atEntry.atPhysAddress#view rwview included at.atTable.atEntry.atNetAddress#view rwview included ip.ipForwarding#view rwview included ip.ipDefaultTTL#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType#view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState#view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger#view rwview included snmp.snmpEnableAuthenTraps
# Finally, grant the group read-only access to the systemview view.# group context sec.model sec.level prefix read write notif#access notConfigGroup "" any noauth exact roview rwview none
################################################################################ System contact information#
# It is also possible to set the sysContact and sysLocation system# variables through the snmpd.conf file:
syslocation Unknown (edit /etc/snmp/snmpd.conf)syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
# Example output of snmpwalk:# % snmpwalk -v 1 localhost -c public system# system.sysDescr.0 = "SunOS name sun4c"# system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4# system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55# system.sysContact.0 = "Me <me@somewhere.org>"# system.sysName.0 = "name"# system.sysLocation.0 = "Right here, right now."# system.sysServices.0 = 72
# -----------------------------------------------------------------------------
################################################################################ Process checks.## The following are examples of how to use the agent to check for# processes running on the host. The syntax looks something like:## proc NAME [MAX=0] [MIN=0]## NAME: the name of the process to check for. It must match# exactly (ie, http will not find httpd processes).# MAX: the maximum number allowed to be running. Defaults to 0.# MIN: the minimum number to be running. Defaults to 0.
## Examples (commented out by default):#
# Make sure mountd is running#proc mountd
# Make sure there are no more than 4 ntalkds running, but 0 is ok too.#proc ntalkd 4
# Make sure at least one sendmail, but less than or equal to 10 are running.#proc sendmail 10 1
# A snmpwalk of the process mib tree would look something like this:## % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0## Note that the errorFlag for mountd is set to 1 because one is not# running (in this case an rpc.mountd is, but thats not good enough),# and the ErrMessage tells you what's wrong. The configuration# imposed in the snmpd.conf file is also shown.## Special Case: When the min and max numbers are both 0, it assumes# you want a max of infinity and a min of 1.#
# -----------------------------------------------------------------------------
################################################################################ Executables/scripts#
## You can also have programs run by the agent that return a single# line of output and an exit code. Here are two examples.## exec NAME PROGRAM [ARGS ...]## NAME: A generic name.# PROGRAM: The program to run. Include the path!# ARGS: optional arguments to be passed to the program
# a simple hello world
#exec echotest /bin/echo hello world
# Run a shell script containing:## #!/bin/sh# echo hello world# echo hi there# exit 35## Note: this has been specifically commented out to prevent# accidental security holes due to someone else on your system writing# a /tmp/shtest before you do. Uncomment to use it.##exec shelltest /bin/sh /tmp/shtest
# Then,# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0
# Note that the second line of the /tmp/shtest shell script is cut# off. Also note that the exit status of 35 was returned.
# -----------------------------------------------------------------------------
################################################################################ disk checks#
# The agent can check the amount of available disk space, and make# sure it is above a set limit.
# disk PATH [MIN=100000]## PATH: mount path to the disk in question.# MIN: Disks with space below this value will have the Mib's errorFlag set.# Default value = 100000.
# Check the / partition and make sure it contains at least 10 megs.
#disk / 10000
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""
# -----------------------------------------------------------------------------
################################################################################ load average checks#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]## 1MAX: If the 1 minute load average is above this limit at query# time, the errorFlag will be set.# 5MAX: Similar, but for 5 min average.# 15MAX: Similar, but for 15 min average.
# Check for loads:#load 12 14 14
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""
# -----------------------------------------------------------------------------
################################################################################ Extensible sections.#
# This alleviates the multiple line output problem found in the# previous executable mib by placing each mib in its own mib table:
# Run a shell script containing:## #!/bin/sh# echo hello world# echo hi there# exit 35## Note: this has been specifically commented out to prevent# accidental security holes due to someone else on your system writing# a /tmp/shtest before you do. Uncomment to use it.## exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50# enterprises.ucdavis.50.1.1 = 1# enterprises.ucdavis.50.2.1 = "shelltest"# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"# enterprises.ucdavis.50.100.1 = 35# enterprises.ucdavis.50.101.1 = "hello world."# enterprises.ucdavis.50.101.2 = "hi there."# enterprises.ucdavis.50.102.1 = 0
# Now the Output has grown to two lines, and we can see the 'hi# there.' output as the second line from our shell script.## Note that you must alter the mib.txt file to be correct if you want# the .50.* outputs above to change to reasonable text descriptions.
# Other ideas:## exec .1.3.6.1.4.1.2021.51 ps /bin/ps# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
# -----------------------------------------------------------------------------
################################################################################ Pass through control.#
# Usage:# pass MIBOID EXEC-COMMAND## This will pass total control of the mib underneath the MIBOID# portion of the mib to the EXEC-COMMAND.## Note: You'll have to change the path of the passtest script to your# source directory or install it in the given location.## Example: (see the script for details)# (commented out here since it requires that you place the# script in the right location. (its not installed by default))
# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255# enterprises.ucdavis.255.1 = "life the universe and everything"# enterprises.ucdavis.255.2.1 = 42# enterprises.ucdavis.255.2.2 = OID: 42.42.42# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1# enterprises.ucdavis.255.5 = 42# enterprises.ucdavis.255.6 = Gauge: 42## % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5# enterprises.ucdavis.255.5 = 42## % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"# enterprises.ucdavis.255.1 = "New string"#
# For specific usage information, see the man/snmpd.conf.5 manual page# as well as the local/passtest script used in the above example.
# Added for support of bcm5820 cards.pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
################################################################################ Further Information## See the snmpd.conf manual page, and the output of "snmpd -H".[/text]
新闻热点
疑难解答
