在CentOS和RHEL中配置SNMPv3

首先，使用yum安裝必要的軟件

[root@server ~]#  yum install net-snmp-utils net-snmp-devel
安裝完成以後， 先中止snmpd，再建立具備只讀屬性的SNMP 帳戶。 .
[root@server ~]#  service snmpd stop
[root@server ~]#  net-snmp-create-v3-user -A snmpv3pass -a MD5 -x DES snmpv3user
==================================================================

snmp V3的方式設置簡單，並且安全性更高。

配置方法：
1.中止snmpd服務
  #service snmpd stop

2.增長snmpv3用戶，並設置認證以及加密方式
  # net-snmp-create-v3-user
     Enter a SNMPv3 user name to create:
     enocsnmpv3
     Enter authentication pass-phrase:
    enocsnmpv3pw
     Enter encryption pass-phrase:
     [press return to reuse the authentication pass-phrase]
     enocsnmpv3pk
    adding the following line to /var/lib/net-snmp/snmpd.conf:
       createUser enocsnmpv3 MD5 "enocsnmpv3pw" DES enocsnmpv3pk
    adding the following line to /etc/snmp/snmpd.conf:
       rwuser enocsnmpv3

3.啓動snmpd服務
  # service snmpd restart

現經過snmpwalk測試一下：
# snmpwalk -v3 -uenocsnmpv3  -lauth -aMD5 -A"enocsnmpv3pw" -X"enocsnmpv3pk" localhost  | more
SNMPv2-MIB::sysDescr.0 = STRING: Linux CentOS60A 2.6.32-71.el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::org
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9443) 0:01:34.43

或：
# snmpwalk -v3 -uenocsnmpv3 -lauth -aMD5 -A"enocsnmpv3pw"  localhost .1 | more
或：
# snmpwalk -v3 -lauth -uenocsnmpv3 -aMD5 -xDES -A"enocsnmpv3pw" -X"enocsnmpv3pk" localhost .1 | more

補充：
SNMP Version 3 specific
  -a PROTOCOL           set authentication protocol (MD5|SHA)
  -A PASSPHRASE         set authentication protocol pass phrase
  -e ENGINE-ID          set security engine ID (e.g. 800000020109840301)
  -E ENGINE-ID          set context engine ID (e.g. 800000020109840301)
  -l LEVEL              set security level (noAuthNoPriv|authNoPriv|authPriv)
  -n CONTEXT            set context name (e.g. bridge1)
  -u USER-NAME          set security name (e.g. bert)
  -x PROTOCOL           set privacy protocol (DES|AES)
  -X PASSPHRASE         set privacy protocol pass phrase
  -Z BOOTS,TIME         set destination engine boots/time

==================================================================

## OUTPUT ##
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser snmpv3user MD5 "snmpv3pass" DES
adding the following line to /etc/snmp/snmpd.conf:
rouser snmpv3user
[root@server ~]#  service snmpd start
SNMPv3測試
snmpwalk 是測試SNMP配置和輸出出色的工具。成功的測試結果應當有大量的輸出數據。
[root@server ~]#  snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.1.2 -v3
### OUTPUT ###
SNMPv2-MIB::sysDescr.0 = STRING: Linux server.example.tst 2.6.32-71.el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (28963) 0:04:49.63
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementation
## and the output continues ##
刪除SNMPv3帳戶
SNMPv3 帳戶信息被包含在兩個文件之中。刪除帳戶即刪除這個文件中的信息便可。
root@server:~# service snmpd stop
root@server:~# vim /var/lib/net-snmp/snmpd.conf
## there should be a similar encrypted line that contains information on the user ##
## this line is removed ##
usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d70763375736572000x736e6d7076337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0x945ed3c9708ea5493f53f953b45a4513 .1.3.6.1.6.3.10.1.2.2 0x945ed3c9708ea5493f53f953b45a4513 ""
root@server:~# vim /etc/snmp/snmpd.conf
## The following line is removed ##
rouser snmpv3user
root@server:~#  service snmpd start
防火牆調節（可選）
下面的例子中的防火牆規則能夠被用於限制被容許進行SNMP查詢的源IP地址。兩個IP地址（例如， 192.168.1.100/101）被置於白名單中。
root@server:~# iptables -A INPUT -s  192.168.1.100/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -s 192.168.1.101/32 -p udp –dport 161 -j ACCEPT
root@server:~# iptables -A INPUT -p udp –dport 161 -j DROP
思科交換機和路由器配置SNMPv3
思科交換機和路由器一樣支持SNMPv3。下面的例子將建立一個訪問控制列表（ACL）限制容許作SNMP查詢的源IP地址。可是，這步被跳過了。
設置訪問控制列表（ACL）（可選）
## global config mode ##
ip access-list standard SNMP_ACL
permit 192.168.1.100
permit 192.168.1.100
SNMPv3 配置
下面的配置建立一個名爲v3Group與認證AuthNoPriv安全級別v3的組。前面定義的可選訪問列表也支持設定。
## global config mode ##
## With ACL ##
snmp-server group v3Group v3 auth access SNMP_ACL
## Without ACL ##
snmp-server group v3Group v3 auth
用戶v3user被建立並添加在v3Group下。 

 

DES加密密鑰

snmp-server user snmpv3user v3Group v3 auth md5 snmpv3pass priv DES snmpv3pass

 

AES加密密鑰
snmp-server user snmpv3user v3Group v3 auth md5 snmpv3pass priv AES 128 snmpv3pass

 

SNMPv3測試
SNMP用戶和相關組能夠在Cisco設備中查看。
### privileged EXEC mode ##
show snmp user
User name: v3user
Engine ID: ************************
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: v3Group
任何Linux設備中的snmpwalk的均可以用來驗證配置和檢查輸出。
snmpwalk -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.1.3 -v3
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software」
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.1166
iso.3.6.1.2.1.1.7.0 = INTEGER: 78
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.2.1.0 = INTEGER: 54
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3
## output truncated ##

分享：