Getting "snmpd", the Linux SNMP daemon, up and running on Ubuntu is simply a matter of installing "snmpd":
sudo apt-get install snmpd;
Or is it?
Default configuration woes
Logging
By default, Ubuntu wants to log literally everything that "snmpd" does to syslog. While I love the enthusiasm, this quickly leads to overflowing logs and the headache around them (plus it makes it impossible to find any event that's actually important).
How many times do you want to see messages like this in your logs?
Sep 11 16:48:23 your-server snmpd[19552]: Connection from UDP: [192.168.59.101]:49867->[10.129.11.219] Sep 11 16:48:23 snmpd[19552]: last message repeated 199 times
The logging options are specified on the "snmpd" command line, and are thus configured in "/etc/default/snmpd".
The default logging settings are:
-Lsd
"-L" is for the logging options. "s" is for syslog. "d" is for the daemon facility.
What we want are these settings:
-LS 4 d
"-L" again is for logging options. Capital "S" is for a priority-filtered syslog, with "4" being "warning-level or higher". Again, "d" is for the daemon facility.
Port access
By default, Ubuntu locks down SNMP access to "localhost", so it's 100% useless from a monitoring perspective. While I respect the security-mindedness displayed here, I need my boxes to actually respond to requests.
The access options are specified in the "snmpd.conf" file, which is located here: "/etc/snmp/snmpd.conf".
At the top of the file, there is a configuration item called "agentAddress". By default, this limits requests to those originating locally.
agentAddress udp:127.0.0.1:161
There is usually a line following it that's commented out, and that's the one that we want. Get rid of the line above and make sure that this one is enabled:
agentAddress udp:161,udp6:[::1]:161
This makes sure that any requests to port 161 (the standard SNMP port) will be allowed.
Permissions
Yes, yes, we should all be using SNMPv3's great user-based access-control mechanism, but for an internal-to-the-company server that can't be reached from the Internet, we can often afford to be lax. And hey, I'm not stopping you from setting up SNMPv3 access control. Go nuts.
Here, we're going to allow the community string of "public" to access everything about the box (but not make any changes at all).
The default configuration allows "public" to see some basic system information, but that's not good enough:
rocommunity public default -V systemonly
Get rid of that line and replace it with one that doesn't have the "systemonly" restriction:
rocommunity public
Restart "snmpd" and you'll be ready to respond to SNMP requests from your local management station.
sudo service snmpd restart;
sudo service snmpd restart;
No comments:
Post a Comment