Accept SNMP Packets...

Applications Infrastructure Monitoring
1

hi guys

I've configured snmp on some linux

snmpd.conf

rocommunity  com_read  x.x.x.10
rwcommunity  com_write x.x.x.10

Now one of my coworkers asked to do the same that he does on windows for my linux....

But I have no idea how to configure that basically when SNMP is configure there is a tab that says

Accept SNMP packets from these hosts
localhost
x.x.x.217
x.x.x.218

since we don't want this window to accept SNMP from any host

so my question how can I configure this on my linux hosts to accept SNMP packets from specific hosts.
Thanks a lot
I attached the SNMP Win Conf (snmp windows.doc)

2

any idea guys?

I was thinking maybe using hosts.allow/deny

but I am not sure how to use it

hosts.allow
snmpd: 192.168.1.2 192.168.1.3

basically I want any kind of connection to my server but SNMP only 6 servers

how should I ply with hosts.deny/allow or SNMP to do this?

3

Are you using Net-SNMP? You can try something like:

rocommunity SOME_NAME
<...>
com2sec some_user  localhost       SOME_NAME
com2sec some_user  x.x.x.217       SOME_NAME
com2sec some_user  x.x.x.218       SOME_NAME
1 Like
4

is com2sec a static variable to define my 6 hosts?
some_user: What would be?
SOME_NAME: any name specifying?

sorry too many questions

5

hi again

by the way I have to configure this SNMP stuff on a firewall that is part of a SNMP project
so they want to allow only some hosts to send SNMP packets a across this Linux firewall

Since I still don't get how to do it on SNMP like in Windows

I was thinking using hosts.allow and deny like this

hosts.allow
snmpd : 192.168.2.1 192.168.2.2 192.168.2.3 


hosts.deny
snmpd : ALL

but I read this
# Never configure TCP Wrappers on firewall host.
# Put TCP Wrappers behind a firewall systems as TCP Wrappers is no substitute for netfilter or pf firewall.

on
Explain Linux / UNIX TCP Wrappers / Find Out If Program Compiled With TCP Wrappers

so any guidance on SNMP way?
thanks a lot

6

SNMP has its own protocol, both for data inquiry and security.
In POSIX unix there are several files to control all of this. Net-SNMP, although I've never used it, has ways to implement all of this stuff.

By default SNMP uses UDP on port 161. You can create a 'community', with clearly defined access levels.

Instead of this forum, read the Orielly Book
Essential SNMP - O'Reilly Media

SNMP protocol is a product of DARPA (US dept of defense). This means it verges on idiotic as it was conceived by bureaucrats. And a meaningful undertstanding of what you are asking is way beyond the scope of a forum.

Example: the answer to each of your questions varies by version of SNMP - 1, 2, or 3.

Wait til you read about MIB files. There is a whole book just on the mib2c utility.
My Solaris conf files for snmp (and there can be more than one) are huge, and are maintained by special scripts.

There is no simple shortcut to all of this stuff. Sorry. Without the right background it is easy to mess things up. IMO.

1 Like