14.2. Configuring SNMP on Debian

Problem

You need to make sure SNMP is operating correctly before you configure MRTG. What's a good basic configuration, and how do you test it?

Solution

You need to first make sure that snmpd is running. The installer should have automatically started it. Check snmpd with this command:

	$ snmpwalk -v 2c -c public localhost system
	SNMPv2-MIB::sysDescr.0 = STRING: Linux xena 2.6.20-16-generic #2 SMP Thu Jun 7 20:19:
	32 UTC 2007 i686
	SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
	DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (359297) 0:59:52.97
	SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmpd.
	local.conf)
	SNMPv2-MIB::sysName.0 = STRING: xena
	[...]

Now, we'll move the default snmpd.conf file out of the way, and replace it with our own bare bones edition:

	# cd /etc/snmp
	# mv snmpd.conf snmpd.conf-old
	# chmod 0600 snmpd.conf
	# chmod 0666 snmpd.conf-old

The last command is optional; it makes the default file available to ordinary users for study and reference. Our new snmpd.conf consists of just a few lines. Replace password with your own choice for a password. Don't use public or private, the default snmp passwords:

	###/etc/snmp/snmpd.conf
	##       sec.name     source            community
	##       ========     ======            =========
	com2sec  local        localhost        password
	com2sec  lan          192.168.1.0/24    password

	##      Access.group.name   sec.model  sec.name
	##      =================  =========   ========
	group   ROGroup_1             v1       local
	group   ROGroup_1             v1       lan
	group   ROGroup_1             v2c      local
	group   ROGroup_1             v2c      lan

	##   MIB.view.name    incl/excl  MIB.subtree  mask
	##   ==============  =========  ===========  ====
	view all-mibs        included   .1           80

	##      MIB
	##      group.name   context sec.model sec.level prefix read   write  notif
	##      ========== ======= ========= ========= ====== ====     =====  =====
	access  ROGroup_1    ""     v1       noauth    exact  all-mibs none   none
	access  ROGroup_1    ""     v2c      noauth    exact  all-mibs none   none

Make sure this file is owned and readable only by root. Then, restart snmpd:

	# /etc/init.d/snmpd restart

Next, try the snmpwalk command again:

	$ snmpwalk -v 2c -c public localhost system
	Timeout: No Response from localhost

Now, try it with your new password, which in SNMP lingo is called the community string:

	$ snmpwalk -v 2c -c password localhost system
	SNMPv2-MIB::sysDescr.0 = STRING: Linux xena 2.6.20-16-generic #2 SMP Thu Jun 7 20:19:
	32 UTC 2007 i686
	SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
	DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (105655) 0:17:36.55
	SNMPv2-MIB::sysContact.0 = STRING: root
	SNMPv2-MIB::sysName.0 = STRING: xena
	[...]

OK then! It works.

snmpd is controlled via the usual Debian init commands:

	# /etc/init.d/snmpd {start|stop|restart|reload|force-reload}

Discussion

Let's take a look at what we did. There are four keywords that we're using for setting up access controls: com2sec, view, group, and access.

com2sec

com2sec, or community-to-security, defines a security name (sec.name), which is a combination of the community string and source IP address.

view

Defines which parts of the MIB tree are available to view. This example allows access to the entire tree.

group

This creates named groups and maps them to their security names.

access

This specifies who has access to which bits of the MIB tree. This example lets everyone in the Read-only Group (ROGroup_1) read all MIBs, using SNMP v1 or v2c. ROGroup_1 is an arbitrary name; you may call it anything you want.

There is a simpler way to do the same thing:

	rocommunity password

That single line replaces the entire example file. You're welcome to use this if you prefer; it's simpler and makes debugging easier. Using and understanding the longer file will help you later as you create more complex snmpd.conf configurations.

snmpwalk syntax is pretty simple:

	snmpwalk [options] community hostname [OID]

This is what the options mean:

-v

Selects which SNMP protocol to use. Your choices are v1, v2c, and v3 (the default).

-c

Set the community string, which is the same as a password. The default snmp.conf creates two default community strings: public and private. Because every-one in the world knows these, we got rid of them.

localhost

Specify which device you're querying.

system

system is a shortcut name for all the OIDs under the 1.3.6.1.2.1.1 hierarchy. snmpwalk -v1 -cpassword localhost .1.3.6.1.2.1.1 returns the same results. In the examples, I use system just to reduce the quantity of output. Leave it off, and you'll see lots more.

See Also

• ASN.1 Information: http://asn1.elibel.tm.fr/en/index.htm

• Net-SNMP: http://net-snmp.sourceforge.net

• man snmpd.conf