net-snmp Access Control

This should work on any linux distribution using the net-snmp packages.

Install net-snmp and the net-snmp-utils packages.

Edit "/etc/snmp/snmpd.conf" and find the following lines:
# First, map the community name "public" into a "security name"

# sec.name source community

and add a line for each host you will be polling from. i.e.
com2sec notConfigUser 127.0.0.1 <a really, really secure community>
com2sec notConfigUser <some other host> <a really, really secure community>

If you only changed the "source" and "community" columns the following lines should not need to be modified.
# Second, map the security name into a group name:

# groupName securityModel securityName
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser

Add a view named "all" in the following section.
####
# Third, create a view for us to let the group have rights to:

# Make at least snmpwalk -v 1 localhost -c public system fast again.
# name incl/excl subtree mask(optional)
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view all included .1

The following section should not need modifying.
####
# Finally, grant the group read-only access to the systemview view.

# group context sec.model sec.level prefix read write notif
access notConfigGroup "" any noauth exact all none none
Test by running the following command from one of the allowed hosts in the first section and ensuring that you see much more output that the system mib.
snmpwalk -v 2c -c system

Comments

Post a Comment

Popular posts from this blog

YumRepo Error: All mirror URLs are not using ftp, http[s] or file

A very old server that had a service dependant on CentOS 5 Running any yum command resulted in yum check-update Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile YumRepo Error: All mirror URLs are not using ftp, http[s] or file.  Eg. Invalid release/repo/arch combination/ YumRepo Error: All mirror URLs are not using ftp, http[s] or file.  Eg. Invalid release/repo/arch combination/ YumRepo Error: All mirror URLs are not using ftp, http[s] or file.  Eg. Invalid release/repo/arch combination/ The answer was that the mirrorlists needed to be updated to point at the last version of CentOS 5. Stolen from here:  https://www.linuxquestions.org/questions/centos-111/yumrepo-error-centos-5-9-a-4175604669/#post5704920 echo "http://vault.centos.org/5.11/os/x86_64/" > /var/cache/yum/base/mirrorlist.txt echo "http://vault.centos.org/5.11/extras/x86_64/" > /var/cache/yum/extras/mirrorlist.txt echo "http://vault.centos.org/5.11/updat
Read more

Linux: Permanent CIFS/SMB mount

I needed to permanently mount a directory on a Windows server that had spaces in the path. I also wanted to use a credentials file so that the remote server username and password would not be in the world readable fstab file. The following was cobbled together from: Mount samba shares with utf8 encoding using cifs and: Mount password protected network folders Create a credentials file (as root) containing the username and password and restrict it's ability to be read by other users (/etc/fstab is world readable). vi /root/.smbcredentials username=someusername password=somepassword Save and exit the file. Change the file permissions to only be readable by root. chmod 600 /root/.smbcredentials Update the fstab file Add the following line to /etc/fstab (spaces are replaced with \040  or the mount will fail) // ip address / c$/Program\040Files/Microsoft\040SQL\040Server/ /var/backups/Server cifs credentials=/root/.smbcredentials,iocharset=utf8,sec=ntlm 0 0 Exit and s
Read more

Plesk - Decrypt FTP Passwords

I was working on a project where Plesk user details were being imported into a database and it would help to know the password. Since Plesk 11 the Plesk Client account is hashed which makes it unrecoverable, but other passwords are encrypted with 128 bit AES encryption and a salt. If the FTP login name is the same as the client login there is a chance the customer was lazy and used the same details. To decrypt the passwords you will need the server secret key and the password string from the plesk database. The server secret key can be retrieved with the following command on a linux server: cat /etc/psa/private/secret_key | base64 Matching FTP logins (and their encrypted password) can be retrieved from the Plesk database with: SELECT REPLACE(s.home, '/var/www/vhosts/', '') AS domain, c.login, a.password FROM clients c LEFT JOIN sys_users s ON s.login = c.login LEFT JOIN accounts a on s.account_id = a.id; The results will look like: +-------------------
Read more