##snmpd service deployment and deployment

Deploy snmpd service

yum install -y net-snmp net-snmp-utils
# Start service
systemctl start snmpd
# Out of Service
systemctl stop snmpd

snmpwalk command

The snmpwalk command is a tool for operating snmpd services. You can see that there are three version interfaces connected to snmpd through the - v parameter in - h, including:

  • Only version 3 provides authentication.
  • In versions 1 and 2c, you only need to specify the community parameter. Therefore, when blasting versions 1 and 2c of snmpd, you only need to blow up the community field.
[root@localhost ~]# snmpwalk -h
USAGE: snmpwalk [OPTIONS] AGENT [OID]

  Version:  5.7.2
  Web:      http://www.net-snmp.org/
  Email:    net-snmp-coders@lists.sourceforge.net

OPTIONS:
  -h, --help  display this help message
  -H   display configuration file directives understood
  -v 1|2c|3  specifies SNMP version to use
  -V, --version  display package version number
SNMP Version 1 or 2c specific
  -c COMMUNITY  set the community string
SNMP Version 3 specific
  -a PROTOCOL  set authentication protocol (MD5|SHA)
  -A PASSPHRASE  set authentication protocol pass phrase
  -e ENGINE-ID  set security engine ID (e.g. 800000020109840301)
  -E ENGINE-ID  set context engine ID (e.g. 800000020109840301)
  -l LEVEL  set security level (noAuthNoPriv|authNoPriv|authPriv)
  -n CONTEXT  set context name (e.g. bridge1)
  -u USER-NAME  set security name (e.g. bert)
  -x PROTOCOL  set privacy protocol (DES|AES)
  -X PASSPHRASE  set privacy protocol pass phrase
  -Z BOOTS,TIME  set destination engine boots/time

Create user

To view the parameters of the create user command:

Usage:
  net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass]
                          [-a MD5|SHA] [-x DES|AES] [username]

You can see that create-v3 here is the V3 version mentioned above. Only V3 provides an interface for user authentication.

Parameter Description:

  • -ro: it means read only
  • -A: The password for setting authentication must be longer than 8 digits, otherwise the login will prompt that the password is too short.
  • -10: Set whether to encrypt the account. If this parameter is specified, you must bring it with you when logging in, otherwise an error will be reported.
  • -a and - x set the password to different encryption methods (strictly speaking, MD5 is not an encryption method). If - X does not set parameters, it defaults to DES.
  • username: the last is the user name. snmpd doesn't seem to provide an interface to delete or modify users. Modifying the user password is the same as creating a user. Just set the password to something else.

Note: to create a user, you must first stop the snmpd service, restart the service after the user is created, and then use the snmpwalk interface to operate.

Create and login example:

# Create an authenticated and encrypted read-write account (authPriv)
net-snmp-create-v3-user -a MD5 -A password2 -X password2 -x DES user2
# Login command
snmpwalk -v 3 localhost -u user2 -a MD5 -A password2 -X password2 -l authPriv -x DES .1.3.6.1.2.1.1

# Create an authenticated but unencrypted read-only account (authNoPriv)
net-snmp-create-v3-user -ro -a MD5 -A password3 user3
# Login command
snmpwalk -v 3 localhost -u user3 -a MD5 -A password3 -l authNoPriv -x DES .1.3.6.1.2.1.1

# Create an authenticated but unencrypted read-write account (authNoPriv)
net-snmp-create-v3-user -ro -a MD5 -A password3 user3
# Login command
snmpwalk -v 3 localhost -u user3 -a MD5 -A password3 -l authNoPriv -x DES .1.3.6.1.2.1.1

Except for authPriv, the login command used is actually the same whether it is a - ro account or not.
. 1.3.6.1.2.1.1 can be understood as the code of the hardware equipment on the host where the snmpd service is located. Different hardware devices have their own unique code.

Login summary

  1. The supplied password length is too short must be greater than or equal to 8 digits.
  2. If the account does not exist, an error is reported: Unknown user name. Therefore, when blasting, the blasting account number can be first, and then the nonexistent account can be excluded.
  3. If the password is wrong, an error will be reported: incorrect password, community or key
  4. If the encryption method of the account is authPriv, the parameter used in blasting can be authNoPriv, but if the - X parameter is not specified, an error will also be reported.
  5. If the encryption method of the account is authPriv, - A password is correct, and the password after - X is wrong, an error will be reported: Timeout: No Response from localhost.
  6. If the encryption method of the account is authNoPriv and the parameter used during blasting is authPriv, an error will be reported.
  7. If the encryption method of the account is authNoPriv and the parameter used during blasting is authNoPriv, setting the - X parameter to any value with a length greater than or equal to 8 digits has no effect.

Tags: Linux

Posted on Thu, 02 Dec 2021 21:23:02 -0500 by gdboling