SNMP介紹
簡單網路管理協定(SNMP,Simple Network Management Protocol)構成了網際網路工程工作小組(IETF,Internet Engineering Task Force)定義的Internet協定族的一部分。該協定能夠支援網路管理系統,用以監測連接到網路上的裝置是否有任何引起管理上關注的情況。
簡而言之用於網管監控網路中設備情況。
環境
VM1: Debian10 IPA:192.168.11.128
VM2(Debian-2): Debian10 IPA:192.168.11.129
安裝SNMP套件
1 | root@YoungDebian:~# apt-get install snmpd snmp libsnmp-dev |
配置SNMPV2C
修改SNMP配置檔: 1
nano /etc/snmp/snmpd.conf
添加監聽對象IP: 1
2
3
4
5
6
7#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only
# 被監控機器ip為192.168.11.128,port161
agentAddress udp:127.0.0.1:161,udp:192.168.11.128:161
添加監控伺服器連接用的community string: 1
2
3
4
5
6#rocommunity public localhost#
# Default access to basic system info
# 監控伺服器ip為192.168.11.129,community string為Aozy
rocommunity Aozy 192.168.11.129
重啟服務以重新載入conf檔,並查看服務狀態: 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18root@YoungDebian:~# systemctl restart snmpd
root@YoungDebian:~# systemctl status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-02-08 17:15:57 CST; 1s ago
Process: 2135 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited, status=0/SUCCESS)
Main PID: 2136 (snmpd)
Tasks: 1 (limit: 2318)
Memory: 5.9M
CGroup: /system.slice/snmpd.service
└─2136 /usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
Feb 08 17:15:57 YoungDebian systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Feb 08 17:15:57 YoungDebian systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Feb 08 17:15:57 YoungDebian snmpd[2136]: /etc/snmp/snmpd.conf: line 150: Warning: Unknown token: defaultMonitors.
Feb 08 17:15:57 YoungDebian snmpd[2136]: /etc/snmp/snmpd.conf: line 152: Warning: Unknown token: linkUpDownNotifications.
Feb 08 17:15:57 YoungDebian snmpd[2136]: Turning on AgentX master support.
Feb 08 17:15:58 YoungDebian snmpd[2136]: NET-SNMP version 5.7.3
嘗試從監控發起server獲得被監控機器信息(以獲得總記憶體大小為例): 1
2root@debian-2:~# snmpwalk -v2c -c Aozy 192.168.11.128 .1.3.6.1.4.1.2021.4.5.0
iso.3.6.1.4.1.2021.4.5.0 = INTEGER: 2018220
配置SNMP V3
創建SNMP V3用戶並重啟服務:
另:SNMPV3有三種安全級別: * noAuthNoPriv 對賬號不進行驗證,對連線也不進行加密 * authNoPriv 對賬號進行驗證,但對連線不進行加密 * authPriv 賬號驗證,連線加密
1 | root@YoungDebian:~# net-snmp-create-v3-user -ro -A mypasswd@@ -a SHA -X mypasswd@@ -x AES youngH |
嘗試從監控發起server獲得被監控機器信息(以獲得總記憶體大小為例): 1
2aozy@debian-2:~$ snmpwalk -v3 -a SHA -A mypasswd@@ -x AES -X mypasswd@@ -l authPriv -u youngH 192.168.11.128 .1.3.6.1.4.1.2021.4.5.0
iso.3.6.1.4.1.2021.4.5.0 = INTEGER: 2018220
V3下對不同用戶設定不同可獲取資訊權限
定義Access Control中的view內容(可查詢所以資訊的allinfo和只能看cpu資訊的cpuonly): 1
2
3
4
5
6###############################################################################
#
# ACCESS CONTROL
#
view cpuonly included .1.3.6.1.4.1.2021.11
view allinfo included .1
設定用戶到view的對應(用戶admin有訪問所有資訊的權限,user僅有cpu資訊權限):
1 | # Full read-only access for SNMPv3 |
重啟服務: 1
2root@YoungDebian:/etc/snmp# systemctl restart snmpd
root@YoungDebian:/etc/snmp# systemctl status snmpd1
2
3
4root@debian-2:~# snmpwalk -v3 -a SHA -A mypasswd@@ -x AES -X mypasswd@@ -l authPriv -u admin 192.168.11.128 .1.3.6.1.4.1.2021.4.5.0
iso.3.6.1.4.1.2021.4.5.0 = INTEGER: 2018220
root@debian-2:~# snmpwalk -v3 -a SHA -A mypasswd@@ -x AES -X mypasswd@@ -l authPriv -u user 192.168.11.128 .1.3.6.1.4.1.2021.4.5.0
iso.3.6.1.4.1.2021.4.5.0 = No Such Object available on this agent at this OID
- 用兩個用戶嘗試獲得cpu資訊:
1
2
3
4root@debian-2:~# snmpwalk -v3 -a SHA -A mypasswd@@ -x AES -X mypasswd@@ -l authPriv -u admin 192.168.11.128 .1.3.6.1.4.1.2021.11.52.0
iso.3.6.1.4.1.2021.11.52.0 = Counter32: 5676
root@debian-2:~# snmpwalk -v3 -a SHA -A mypasswd@@ -x AES -X mypasswd@@ -l authPriv -u user 192.168.11.128 .1.3.6.1.4.1.2021.11.52.0
iso.3.6.1.4.1.2021.11.52.0 = Counter32: 5686
補充
- OID資料庫:http://oid-info.com/index.htm