1.前期安裝必備套件

yum install net-snmp net-snmp-utils

我以為這樣就可以了，然后開始滿世界的找SNMP配置文件的Sample樣例，可是，找來找去無非就是兩個(gè)結(jié)果，要么全部是V1或者V2c協(xié)議的配置，要么是涉及V3，但是不適合于CentOS5.2的，我所說的不適于，是因?yàn)槟切┪恼乱床捎肧USE，所指示的配置文件位置和CentOS5.2不怎么一致，再加上我對(duì)CentOS5.2下面到底除了/etc/snmp/snmpd.conf,還有一個(gè)snmpd在哪里始終找不到，后來。locate忘記updatedb了，終于找到了，在/usr/share/snmp/snmpd.conf下面，基本上可以按照這個(gè)SUSE的方案來做了，不過后來看到有個(gè)net-snmp-config，我怎么找都找不到，網(wǎng)上一查，說這個(gè)tool只在net-snmp的dev才有，我一yum，發(fā)現(xiàn)這個(gè)更新和依賴加起來有2.8MB，算了，直接到網(wǎng)上down了這個(gè)net-snmp-config，一看是個(gè)shell腳本，更加有喜感了,大家可以點(diǎn)擊這里下載，非常小

2.創(chuàng)建V3驗(yàn)證用戶，并測試

如果能夠返回信息

IF-MIB::ifIndex.1 = INTEGER: 1IF-MIB::ifIndex.2 = INTEGER: 2IF-MIB::ifDescr.1 = STRING: loIF-MIB::ifDescr.2 = STRING: eth0IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)IF-MIB::ifMtu.1 = INTEGER: 16436IF-MIB::ifMtu.2 = INTEGER: 1500IF-MIB::ifSpeed.1 = Gauge32: 10000000IF-MIB::ifSpeed.2 = Gauge32: 100000000IF-MIB::ifPhysAddress.1 = STRING:IF-MIB::ifPhysAddress.2 = STRING: 0:15:58:de:27:a3IF-MIB::ifAdminStatus.1 = INTEGER: up(1)IF-MIB::ifAdminStatus.2 = INTEGER: up(1)IF-MIB::ifOperStatus.1 = INTEGER: up(1)IF-MIB::ifOperStatus.2 = INTEGER: up(1)IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00IF-MIB::ifInOctets.1 = Counter32: 1036102784IF-MIB::ifInOctets.2 = Counter32: 1896546331IF-MIB::ifInUcastPkts.1 = Counter32: 6733501IF-MIB::ifInUcastPkts.2 = Counter32: 260564072IF-MIB::ifInNUcastPkts.1 = Counter32: 0IF-MIB::ifInNUcastPkts.2 = Counter32: 57224IF-MIB::ifInDiscards.1 = Counter32: 0IF-MIB::ifInDiscards.2 = Counter32: 0IF-MIB::ifInErrors.1 = Counter32: 0IF-MIB::ifInErrors.2 = Counter32: 0IF-MIB::ifInUnknownPRotos.1 = Counter32: 0IF-MIB::ifInUnknownProtos.2 = Counter32: 0IF-MIB::ifOutOctets.1 = Counter32: 1036102784IF-MIB::ifOutOctets.2 = Counter32: 3196067597IF-MIB::ifOutUcastPkts.1 = Counter32: 6733501IF-MIB::ifOutUcastPkts.2 = Counter32: 405123923IF-MIB::ifOutNUcastPkts.1 = Counter32: 0IF-MIB::ifOutNUcastPkts.2 = Counter32: 0IF-MIB::ifOutDiscards.1 = Counter32: 0IF-MIB::ifOutDiscards.2 = Counter32: 0IF-MIB::ifOutErrors.1 = Counter32: 0IF-MIB::ifOutErrors.2 = Counter32: 0IF-MIB::ifOutQLen.1 = Gauge32: 0IF-MIB::ifOutQLen.2 = Gauge32: 0IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZeroIF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero

就表示OK了！其中，-ro表示只讀用戶組，可以采集信息，但是不能更改系統(tǒng)設(shè)置我創(chuàng)建用戶的時(shí)候沒有沒有設(shè)定privpass，是為了簡化過程，如果要?jiǎng)?chuàng)建帶privpass驗(yàn)證，而且這個(gè)privpass也可以選擇不同于密碼的加密方式，比如，我密碼采用MD5加密，而privpass采用AES加密，增加破解難度，那么可以這樣寫

net-snmp-config:--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES][-A MD5|SHA] [username]

snmpwalk:V3驗(yàn)證常用參數(shù)-v 1|2c|3             specifies SNMP version to use-u USER-NAME          set security name (e.g. bert)-l LEVEL              set security level (noAuthNoPriv|authNoPriv|authPriv)-a PROTOCOL           set authentication protocol (MD5|SHA)-A PASSPHRASE         set authentication protocol pass phrase-x PROTOCOL           set privacy protocol (DES|AES)-X PASSPHRASE         set privacy protocol pass phraseV2c/V1驗(yàn)證常用-c COMMUNITY          set the community string

命令執(zhí)行之后將自動(dòng)建立新的配置文件snmpd.conf，而內(nèi)容也十分簡單。只有用戶名和權(quán)限，而關(guān)于認(rèn)證方式的信息則會(huì)存儲(chǔ)在/var/net-snmp/snmpd.conf文件中。

3.設(shè)置iptables，確保安全

接下來的事情，就是就是開放指定IP訪問161的UDP端口

具體可以參見我的這篇文章iptables，糾結(jié)的順序

附上我的V2c配置文件和注釋(/etc/snmp/snmpd.conf)，畢竟V2c還是用的比較多的

[text]

################################################################################# snmpd.conf:#   An example configuration file for configuring the ucd-snmp snmpd agent.# the v2c By ihipop.gicp.net [email protected]################################################################################ 指定端口##agentaddress  1161

################################################################################ access Control###############################################################################

##### First, map the community name "public" into a "security name"

#       sec.name  source          communitycom2sec notConfigUser  127.0.0.1  publiccom2sec notConfigUser  xxxx.xxxx.xxx.xxxx publiccom2sec notConfigUser  xxxx.xxxx.xxxxx.xxxx public

##### Second, map the security name into a group name:

#       groupName      securityModel securityNamegroup   notConfigGroup v1           notConfigUsergroup   notConfigGroup v2c           notConfigUser

##### Third, create a view for us to let the group have rights to:

# Make at least  snmpwalk -v 1 localhost -c public system fast again.#       name           incl/excl     subtree         mask(optional)view    systemview    included   .1.3.6.1.2.1.1view    systemview    included   .1.3.6.1.2.1.25.1.1

##### Finally, grant the group read-only access to the systemview view.

#       group          context sec.model sec.level prefix read   write  notifaccess  notConfigGroup ""      any       noauth    exact  all none none#本來上面的read字段對(duì)應(yīng)的是systemview，改成all了# -----------------------------------------------------------------------------

# Here is a commented out example configuration that allows less# restrictive access.

# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWord ONLY# KNOWN AT YOUR SITE.  YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.

##       sec.name  source          community#com2sec local     localhost       COMMUNITY#com2sec mynetwork NETWORK/24      COMMUNITY

##     group.name sec.model  sec.name#group MyRWGroup  any        local#group MyROGroup  any        mynetwork##group MyRWGroup  any        otherv3user#...

##           incl/excl subtree                          maskview all    included  .1                               80#上面的#去掉了，也就是，從這行往下就沒動(dòng)，以后慢慢寫注釋## -or just the mib2 tree-

#view mib2   included  .iso.org.dod.internet.mgmt.mib-2 fc

##                context sec.model sec.level prefix read   write  notif#access MyROGroup ""      any       noauth    0      all    none   none#access MyRWGroup ""      any       noauth    0      all    all    all

################################################################################ Sample configuration to make net-snmpd RFC 1213.# Unfortunately v1 and v2c don't allow any user based authentification, so# opening up the default config is not an option from a security point.## WARNING: If you uncomment the following lines you allow write access to your# snmpd daemon from any source! To avoid this use different names for your# community or split out the write access to a different community and# restrict it to your local network.# Also remember to comment the syslocation and syscontact parameters later as# otherwise they are still read only (see FAQ for net-snmp).#

# First, map the community name "public" into a "security name"#       sec.name        source          community#com2sec notConfigUser   default         public

# Second, map the security name into a group name:#       groupName       securityModel   securityName#group   notConfigGroup  v1              notConfigUser#group   notConfigGroup  v2c             notConfigUser

# Third, create a view for us to let the group have rights to:# Open up the whole tree for ro, make the RFC 1213 required ones rw.#       name            incl/excl       subtree mask(optional)#view    roview          included        .1#view    rwview          included        system.sysContact#view    rwview          included        system.sysName#view    rwview          included        system.sysLocation#view    rwview          included        interfaces.ifTable.ifEntry.ifAdminStatus#view    rwview          included        at.atTable.atEntry.atPhysAddress#view    rwview          included        at.atTable.atEntry.atNetAddress#view    rwview          included        ip.ipForwarding#view    rwview          included        ip.ipDefaultTTL#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteDest#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric1#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric2#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric3#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric4#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteType#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteAge#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMask#view    rwview          included        ip.ipRouteTable.ipRouteEntry.ipRouteMetric5#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress#view    rwview          included        ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType#view    rwview          included        tcp.tcpConnTable.tcpConnEntry.tcpConnState#view    rwview          included        egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger#view    rwview          included        snmp.snmpEnableAuthenTraps

# Finally, grant the group read-only access to the systemview view.#       group          context sec.model sec.level prefix read   write  notif#access  notConfigGroup ""      any       noauth    exact  roview rwview none

################################################################################ System contact information#

# It is also possible to set the sysContact and sysLocation system# variables through the snmpd.conf file:

syslocation Unknown (edit /etc/snmp/snmpd.conf)syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)

# Example output of snmpwalk:#   % snmpwalk -v 1 localhost -c public system#   system.sysDescr.0 = "SunOS name sun4c"#   system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4#   system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55#   system.sysContact.0 = "Me <[email protected]>"#   system.sysName.0 = "name"#   system.sysLocation.0 = "Right here, right now."#   system.sysServices.0 = 72

# -----------------------------------------------------------------------------

################################################################################ Process checks.##  The following are examples of how to use the agent to check for#  processes running on the host.  The syntax looks something like:##  proc NAME [MAX=0] [MIN=0]##  NAME:  the name of the process to check for.  It must match#         exactly (ie, http will not find httpd processes).#  MAX:   the maximum number allowed to be running.  Defaults to 0.#  MIN:   the minimum number to be running.  Defaults to 0.

##  Examples (commented out by default):#

#  Make sure mountd is running#proc mountd

#  Make sure there are no more than 4 ntalkds running, but 0 is ok too.#proc ntalkd 4

#  Make sure at least one sendmail, but less than or equal to 10 are running.#proc sendmail 10 1

#  A snmpwalk of the process mib tree would look something like this:## % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0##  Note that the errorFlag for mountd is set to 1 because one is not#  running (in this case an rpc.mountd is, but thats not good enough),#  and the ErrMessage tells you what's wrong.  The configuration#  imposed in the snmpd.conf file is also shown.##  Special Case:  When the min and max numbers are both 0, it assumes#  you want a max of infinity and a min of 1.#

# -----------------------------------------------------------------------------

################################################################################ Executables/scripts#

##  You can also have programs run by the agent that return a single#  line of output and an exit code.  Here are two examples.##  exec NAME PROGRAM [ARGS ...]##  NAME:     A generic name.#  PROGRAM:  The program to run.  Include the path!#  ARGS:     optional arguments to be passed to the program

# a simple hello world

#exec echotest /bin/echo hello world

# Run a shell script containing:## #!/bin/sh# echo hello world# echo hi there# exit 35## Note:  this has been specifically commented out to prevent# accidental security holes due to someone else on your system writing# a /tmp/shtest before you do.  Uncomment to use it.##exec shelltest /bin/sh /tmp/shtest

# Then,# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0

# Note that the second line of the /tmp/shtest shell script is cut# off.  Also note that the exit status of 35 was returned.

# -----------------------------------------------------------------------------

################################################################################ disk checks#

# The agent can check the amount of available disk space, and make# sure it is above a set limit.

# disk PATH [MIN=100000]## PATH:  mount path to the disk in question.# MIN:   Disks with space below this value will have the Mib's errorFlag set.#        Default value = 100000.

# Check the / partition and make sure it contains at least 10 megs.

#disk / 10000

# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""

# -----------------------------------------------------------------------------

################################################################################ load average checks#

# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]## 1MAX:   If the 1 minute load average is above this limit at query#         time, the errorFlag will be set.# 5MAX:   Similar, but for 5 min average.# 15MAX:  Similar, but for 15 min average.

# Check for loads:#load 12 14 14

# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""

# -----------------------------------------------------------------------------

################################################################################ Extensible sections.#

# This alleviates the multiple line output problem found in the# previous executable mib by placing each mib in its own mib table:

# Run a shell script containing:## #!/bin/sh# echo hello world# echo hi there# exit 35## Note:  this has been specifically commented out to prevent# accidental security holes due to someone else on your system writing# a /tmp/shtest before you do.  Uncomment to use it.## exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest

# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50# enterprises.ucdavis.50.1.1 = 1# enterprises.ucdavis.50.2.1 = "shelltest"# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"# enterprises.ucdavis.50.100.1 = 35# enterprises.ucdavis.50.101.1 = "hello world."# enterprises.ucdavis.50.101.2 = "hi there."# enterprises.ucdavis.50.102.1 = 0

# Now the Output has grown to two lines, and we can see the 'hi# there.' output as the second line from our shell script.## Note that you must alter the mib.txt file to be correct if you want# the .50.* outputs above to change to reasonable text descriptions.

# Other ideas:## exec .1.3.6.1.4.1.2021.51 ps /bin/ps# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq

# -----------------------------------------------------------------------------

################################################################################ Pass through control.#

# Usage:#   pass MIBOID EXEC-COMMAND## This will pass total control of the mib underneath the MIBOID# portion of the mib to the EXEC-COMMAND.## Note:  You'll have to change the path of the passtest script to your# source directory or install it in the given location.## Example:  (see the script for details)#           (commented out here since it requires that you place the#           script in the right location. (its not installed by default))

# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest

# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255# enterprises.ucdavis.255.1 = "life the universe and everything"# enterprises.ucdavis.255.2.1 = 42# enterprises.ucdavis.255.2.2 = OID: 42.42.42# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1# enterprises.ucdavis.255.5 = 42# enterprises.ucdavis.255.6 = Gauge: 42## % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5# enterprises.ucdavis.255.5 = 42## % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"# enterprises.ucdavis.255.1 = "New string"#

# For specific usage information, see the man/snmpd.conf.5 manual page# as well as the local/passtest script used in the above example.

# Added for support of bcm5820 cards.pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat

################################################################################ Further Information##  See the snmpd.conf manual page, and the output of "snmpd -H".[/text]