SNMPv3 protocol configuration

From OpenNMS
Jump to: navigation, search

Introduction

Although OpenNMS can function as a service, availability, event, and notification management platform independent of SNMP, SNMP adds additional functionality to the platform as well as enhancing these other services by way of device configuration information and SNMP traps/notifications.

Enabling SNMPv3

One of the big additions to the 1.3 release of OpenNMS is support for alternate SNMP libraries. Calls to Joesnmp which have been a part of OpenNMS since the beginning, have been abstracted to provide a API for adding alternate SNMP implementations. This change was made to allows as to integrate SNMP4J, a pure java library that has support for SNMPv3. Though Joesnmp and SNMP versions v1 and v2c are still the default implementation, SNMP4J which supports SNMP v1, v2c and v3 support can be enabled by setting the system property 'org.opennms.snmp.strategyClass' to 'org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy'.

As of 1.3.2 SNMP4J is the default value for this and so SNMPv3 should be enabled already.


On earlier 1.3.x versions the easiest way to do this is by adding the following line to '$OPENNMS_HOME/etc/opennms.conf'

ADDITIONAL_MANAGER_OPTIONS="-Dorg.opennms.snmp.strategyClass=org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy"

Configuring SNMP

The main configuration file that determines SNMP’s behavior for your instance of OpenNMS is snmp-config.xml. The schema for this file has been modified to add support for configuring SNMPv3. The snmp-config element in this file contains attributes and sub-elements called definitions. The attributes of the snmp-config element define system wide defaults. The definition elements are sub-elements to the snmp-config and have the ability to override the system wide default settings. Let’s break that down with a sample configuration:

Sample configuration

<snmp-config port="161" retry="3" timeout="800" read-community="public" version="v1">

        <definition version="v2c">
                <specific>192.168.0.50</specific>
        </definition>
        <definition version="v3" security-name="opennmsUser">
                <specific>192.168.0.102</specific>
        </definition>
        <definition retry="1" timeout="1000">
                <range begin="192.168.100.1" end="192.168.100.254"/>
                <ip-match>77.5-12,15.1-255.255</ip-match>
        </definition>
</snmp-config>

In this sample configuration, the first definition element overrides the default version defined in the top-level snmp-config element with SNMP version 2c. The same override is specified in the second definition element except, that when specifying version 3, a minimum of one more attribute is required: “security-name”. (note: a system wide default security-name can be defined in the top-level snmp-config element) In the final definition of this sample configuration, a range element and the new “ip-match” elements are used. The range element has 2 attributes and each must be valid IP addresses. The ip-match element is a much more flexible way of configuration SNMP attributes for a specific set of devices than the previous range elements.

The ip-match element example above can be broke down to be understood like this:

	If the first octet equals 77
		Then if the 2nd octet is in the range of 5-12 or equals 15
			Then if the 3rd octet is in the range of 1-255
				Then if the 4th octet equals 255
					Use this definition’s attributes

	Else
		If attribute defined in snmp-config element
			Use snmp-config attribute
Else
	Use default attribute


Sample v3 configuration

<snmp-config
	auth-passphrase="0p3nNMSv3"
	auth-protocol="MD5"
	privacy-passphrase="0p3nNMSv3"
	privacy-protocol="DES"
	security-name="opennmsUser"
	version="v3" />

SNMPv3-specific attributes

This SNMPv3 sample configuration shows the v3 specific attributes. These attributes are supported within the definition element as well. The following table denotes these new attributes with their constraints and their default values:

Attribute Constraints Default Value
auth-passphrase string 0p3nNMSv3
auth-protocol MD5/SHA MD5
privacy-passphrase string 0p3nNmsv3
privacy-protocol DES/AES/AES192/AES256 DES
security-name String opennmsUser
version v1/v2c/v3 v1

Enabling SNMPv3 for net-snmp

Since Net-SNMP is a commonly available SNMP agent that supports SNMPv3, here are the basic steps to enable SNMPv3 support for that agent.

First, edit the snmpd.conf file, usually found at /etc/snmp/snmpd.conf. Find this section:

###############################################################################
# Further Information
#
#  See the snmpd.conf manual page, and the output of "snmpd -H".
# VACM configuration entries
rwuser initial
# lets add the new user we'll create too:
rwuser opennmsUser
# USM configuration entries
createUser initial MD5 setup_passphrase DES

The "initial" user is the default, and the line "rwuser opennmsUser" adds the OpenNMS user to the agent. Then from the command line run:

snmpusm -v3 -u initial -n "" -l authPriv -a MD5 -A setup_passphrase -x DES -X setup_passphrase localhost create opennmsUser initial

This will clone the "initial" user to the "opennmsUser"

Next, you can change the passphrase:

snmpusm -v 3 -u initial -n "" -l authPriv -a MD5 -A setup_passphrase -x DES -X setup_passphrase -Ca -Cx localhost passwd setup_passphrase 0p3nNMSv3 opennmsUser

Which will set the authentication passphrase to "0p3nNMSv3".

Finally, restart the snmpd process and you should be able to walk:

snmpwalk -v 3 -u opennmsUser -n "" -l authPriv -a MD5 -A 0p3nNMSv3 -x DES -X 0p3nNMSv3 localhost ifTable

Script for mass configuring SNMP via discovery process

this script is a bit 'hacky' as it uses a list of community strings as a source and then scans your entire set of discovered nodes and tries to use each SNMP string to gain access. it also verifies DNS and reverse DNS when doing this to determine other issues. but inthe end it will make an optimized list of community string config for your snmp-config.cml file

NOTE: TO SPEED UP Scanning your SNMP community string file must be ordered in optimal ways.

you can do this by putting the most likely passwords up at the top and the least likely at the bottom

in the example community string file i have give here it contains most of the community strings that are DEFAULTED on most devices. please add your default strings here if you know more.

your corporate strings should go to the top of this list .

note 2 : this could set off alarms on some net monitoring software as its kind of agressive

file: CleanScanSNMP.sh

#!/bin/bash
######################################################################################################################
# By Paul cole - Omdreams@gmail.com
# used to test snmp community strigs against  a list of ips/hostnames  to find which is teh right community and
# create teh opennms configuration file for it
# this can take a while
######################################################################################################################

ColorNorm="\E[0m"
ColorGreen="\E[32m"
ColorYellow="\E[33m"
ColorRed="\E[31m"
ColorBlue="\E[34m"

TOTALNODES=0
COMMUNITY_FILE="snmp-communities.list"
SNMP_FILE="Results/snmp-config.xml"
LOGFILE="Logs/Communities.log"

START="$(date +%s)"


##########################
#  DECLARING FUNCTIONS   #
######################################################################################################################
usage() { # help
#       echo "Usage:$0 setupsnmpconfig.sh -c $COMMUNITY_FILE -s $IP_FILE -o $CSV_FILE -l $LOGFILE -x $SNMP_FILE " 1>&2
echo -e "$ColorYellow

##########################
#  Command Line options  #
######################################################################################################################
#  -c = Filename of community strings : [-c $COMMUNITY_FILE]
#  -x = sets the  opennms result file to be cleaned :[-x="$SNMP_FILE"]
#  -h = this menu
######################################################################################################################
 default example is

$0 -c=$COMMUNITY_FILE -x $SNMP_FILE

######################################################################################################################
$ColorNorm
"
        exit 1
 } # help

############################
# END  DECLARe FUNCTIONS   #
######################################################################################################################


trap ctrl_c INT  ## TRAP CRTL C to exit clean


## if tht IP FILE is not there  use OPENNMS to create it
while getopts ":s:c:o:x:l:h:t:d" o; do
    case "${o}" in
        c|C)
            COMMUNITY_FILE=${OPTARG}
            echo "Using community list $COMMUNITY_FILE">&2
            ;;
        x|X)
            SNMP_FILE=${OPTARG}
            echo "selecting opennms xml file at : $IP_FILE">&2
            ;;
        *)
            #display help
            usage
            ;;
    esac
done
shift $((OPTIND-1))

############################
# BEGIN LOOPING DATA       #
######################################################################################################################

clear
## display opennms logo :)

echo -ne $ColorRed
echo "    )                              )     *      (     ";
echo " ( /(                           ( /(   (  \`     )\ )  ";
echo " )\())             (            )\())  )\))(   (()/(  ";
echo "((_)\    \`  )     ))\    (     ((_)\  ((_)()\   /(_)) ";
echo "  ((_)   /(/(    /((_)   )\ )   _((_) (_()((_) (_))   ";
echo -ne $ColorNorm
echo " / _ \  ((_)_\  (_))    _(_/(  | \| | |  \/  | / __|  ";
echo "| (_) | | '_ \) / -_)  | ' \)) | .\` | | |\/| | \__ \  ";
echo " \___/  | .__/  \___|  |_||_|  |_|\_| |_|  |_| |___/  ";
echo "        |_|                                           ";
echo " CLEANUP SNMP config file "

####### Title Displayed

OUTFILE=$SNMP_FILE".cleaned"
rm $OUTFILE

echo -ne $ColorRed

##Open xml
echo -ne '<!-- Autogenerate snmp-config.xml file -->\n'>$OUTFILE
echo -ne '<?xml version="1.0"?>\n'>>$OUTFILE
echo -ne '<snmp-config retry="4" timeout="800" version="v2c">\n'>>$OUTFILE
echo -ne '<!-- '$(date)' -->\n'>>$OUTFILE

## Loop Through Communities
for COM in $(cat $COMMUNITY_FILE)
        do
        Result=""
        matchstring='definition read-community=\"'$COM'\"'
        Result=$(grep -A 1 "$matchstring" $SNMP_FILE | grep -v "$matchstring" | tr -d '\-' | grep -v '^$')
        if [ "$Result" ]          ## if results are not empty then  write results  else do nothing
                then
        ## write header
        ## TODO INSERT resulting match to OPENNMS Asset DB ?
                echo -ne "\t<definition read-community=\"$COM\">\n">>$OUTFILE
                for line in $Result
                        do
                        echo -ne "\t\t$line \n">>$OUTFILE
                        done
                echo -ne "\t</definition>\n">>$OUTFILE
#               echo -ne "-"
                fi
#       echo -ne ".\n"
        done
## close xml

echo '</snmp-config>\n'>>$OUTFILE

## rename file to the original name and announce results
DirtyFile= $SNMP_FILE".old_dirty"
rm $DirtyFile
cp $SNMP_FILE $DirtyFile
rm $SNMP_FILE
cp $OUTFILE $SNMP_FILE
echo -ne $ColorGreen"SUCCESS!  ALL DONE \n\n"$ColorNorm
echo -ne $ColorGreen"  Original file $SNMP_FILE is now cleaned and optimised and old file is now $SNMP_FILE.old_dirty $ColorNorm\n\n"
#echo -ne "$ColorGreen RESULTS AS FOLLOWS $ColorNorm \n\n"
#echo -ne $ColorBlue
#cat $OUTFILE | more
#echo -ne $ColorNorm

File: COMMUNITY_FILE="snmp-communities.list"

this file contains examples of default snmp strings and  may not include all known ones.. 
## Comment Line - Start
## KNown LOCAL LAN SNMP codes first to speed things up
yourcodeshere
## Priority Default SNMP strings here
private
Private
private2
Private2
public2
Public2
Public
PRIVATE
PUBLIC
Private
Public
tiv0li
tivoli
internal
Internal
## Known DEFAULT SNMP codes here
## CODES WITH GREATEST amoutn of likelyhood first for speed (ie Public)
## WRITE CODES FIRST to indicate threat level (IE Private before Public) when found
## Least likly codes put last as  they are 'last ditch effort hunt'
fluke_admin
private2
Private2
public2
Public2
tftp
c1sc0zine
trap
snmp
ilmi
botnet
fluke
optiview
this-is-secret
0
0392a0
1234
2read
4changes
ANYCOM
Admin
C0de
CISCO
CR52401
IBM
ILMI
Intermec
NoGaH$@!
OrigEquipMfr
SECRET
SECURITY
SNMP
SNMP_trap
SUN
SWITCH
SYSTEM
Secret
Security
Switch
System
TEST
access
adm
admin