Cacti Notes II & SNMPv3

CentOS/RHEL/SL Interfaces list (eth0; eth1….)

In cacti 0.8.6g (and perhaps f), using redhat (I’ve seen enterprise, RH9, Fedora 3 and 4 mentioned) there’s a problem getting the list of interfaces to be detected, which allows you to graph traffic.

The typical problems involve the following errors:
“No SNMP data returned” (from verbose query in the devices detail)
No data returned while running snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.2.2.1.1
General problems getting Interface – Traffic graphs to work

The problem resides in the permissions for SNMP version 1 users in the /etc/snmp/snmpd.conf file

You need to change the following limits:
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1

to:
view systemview included .1.3.6.1.2.1
view systemview included .1.3.6.1.2.1.25.1.1

This reduces the limits to the pubic group’s access using smtpwalk and allows cacti to get the list of interfaces.

#########

How to configure SNMPv3 securely in CentOS/RHEL/SL

Now we’re talking. This versions supports authentication passwords, that get not transfered in the clear and it also supports encryption passwords so a attacker does not see what is transfered. I’ll show you now how you configure your CentOS/RHEL/SL to let it be queried via SNMPv3 in a secure way.

We need to install the package we need:
yum install net-snmp
We create our user. SHA1 is used for the authentication and AES for the encryption of the traffic. And for security it is important to use two separated passwords.
service snmpd stop
net-snmp-create-v3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user
service snmpd startThis will print something like thisadding the following line to /var/lib/net-snmp/snmpd.conf:
createUser snmpv3user SHA "snmpv3authPass" AES snmpv3encPass
adding the following line to /etc/snmp/snmpd.conf:
rouser snmpv3user

Secure the SNMP daemon with a host firewall and only allow requests from source IP addresses you know and which need to query the system.
Verify that everything works with following command:
snmpwalk -u snmpv3user -A snmpv3authPass -a SHA -X snmpv3encPass -x AES -l authPriv 127.0.0.1 -v3
So as you see it is quite easy, so there is now reason to use anything less secure!

If you want to delete the user, just edit the two files mentioned above. In /etc/snmp/snmpd.conf delete the line rouser snmpv3userand in /var/lib/net-snmp/snmpd.conf look for a line like this and remove it:

usmUser 1 3 0x80001f88801e15113fbf17bf5100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL .1.3.6.1.6.3.10.1.1.3 0xaaa3bc2aa941d932a581bbb11956699a7d807238 .1.3.6.1.6.3.10.1.2.4 0xcd6eed84f9d1aa903e92162f0e3fcb26 ""

restart the daemon with service snmpd restart and the user is gone.

# date
Thu Aug 27 02:49:26 AZST 2015