Change AuthPass and CryptoPass to their respective passwords.
If needed, change MD5 to SHA1 and DES to AES.
snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost
Change AuthPass and CryptoPass to their respective passwords.
If needed, change MD5 to SHA1 and DES to AES.
snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost
In this post we’ll see how we can configure AirOS SNMP settings from the command line.
ubntmod command with save without rebooting.
./ubntmod.sh -i 192.168.1.20 -s "private;monitor@incredigeek.com;[30.69636, -88.04811]" -X '/usr/etc/rc.d/rc.softrestart save'
Alternative manual method.
ssh ubnt@192.168.1.20
Open config file
vi /tmp/system.cfg
Find the SNMP settings and modify as needed. Example below
snmp.community=private
snmp.contact=monitor@incredigeek.com
snmp.location=[30.69636, -88.04811]
Save and exit file with :x
Apply settings
/usr/etc/rc.d/rc.softrestart save
The following works for setting the snmpv3 configuration on cambium 450i 900’s. Once applied it’ll run change the SNMP settings and reboot the radio.
You’ll need to find the hashed password which can be found in a config backup.
Change the SNMP username/community as needed.
{
"userParameters": {
"snmpConfig": {
"user2Group": 0,
"snmpv3EngineId": "007000a9840a003e464e7a",
"rwAuthPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"commStringROnly": "rocommunitystring2",
"user2PrivPassword": "",
"user1AuthPassword": "",
"snmpv3AuthProt": 0,
"snmpv3TrapEnable": 0,
"snmpv3PrivProt": 0,
"snmpMibPerm": 1,
"roAuthPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"commStringRW": "communitystring",
"userGroup1": 0,
"user1Enable": 0,
"snmpv3SecLvl": 2,
"user2Enable": 0,
"rwUserName": "Canopy",
"roUserName": "snmpv3user",
"roPrivPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"userName1": "",
"snmpPort": 161,
"rwUserEnable": 0,
"trapDomainNameAppend": 0,
"rwPrivPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"user1PrivPassword": "",
"userName2": "",
"user3PrivPassword": "",
"user2AuthPassword": "",
"userName3": "",
"user3Enable": 0,
"snmpTrapPort": 162,
"user3AuthPassword": "",
"user3Group": 0,
"trapDelayAfterBootup": 5,
"snmpIpAccessFilter": [
{
"address": "192.168.0.0",
"netmask": 24
},
{
"address": "10.0.1.0",
"netmask": 24
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
}
],
"snmpTrapAddresses": [
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
]
},
}
Setting up SNMP via WinBox is straight forward, the following commands are how to set it up from the command line with some troubleshooting info at the end.
Setup Community (Change v3Private,encpass, and authpass to their respective names or passwords)
snmp community add name=v3Private encryption-protocol=DES encryption-password=encpass authentication-password=authpass security=private
Enable and set SNMP community (Trap Community needs to match the above command. Change contact and the location as needed.)
snmp set contact=admin@incredigeek.com location=DeviceLocation trap-community=V3Private
Sometimes, for no apparent reason it seems, routerOS will have issues using the default community. Work around is to create and use a new community.
Cannot connect with AES encryption
AES doesn’t always seem to work reliably. Seems to work on some and not other. Work around is to use DES.
Log shows Permission Denied
Double check the allowed from addresses, user, and passwords
Don’t know if this is the recommended way to delete a user, but it seems to work.
sudo service snmpd stop
Open up the snmpd.conf file in /var/lib and find the line with the SNMP user and delete the line
sudo vi /var/lib/snmp/snmpd.conf
The above file may be in the following location on RPM based systems.
sudo vi /var/lib/net-snmp/snmpd.conf
Save, exit, and start snmpd
sudo service snmpd start
These steps work for Ubuntu, but should work for any Debain based distro as well as CentOS, Fedora, RedHat etc.
The commands are for CentOS, but should work on Fedora and RedHat.
If semanage is not installed refer to here.
You would typically use this along with the systems firewall to allow a port through. Guide for firewalld and iptables. If you change it in the firewall and fail to add/edit it in semanage you can potentially get weird behavior like sshd not wanting to start after changing the port.
Add port
semanage port -a -t ssh_port_t -p tcp 2222
The above command allows the sshd service to start, using port 2222.
List allowed ports
semanage port -l
You can use grep to filter the results
Example:
[admin@localhost ~]# semanage port -l | grep ssh ssh_port_t tcp 2222, 22 [admin@localhost ~]#
Delete port
semanage port -d -p tcp 2222
Other examples
Allow SNMP
semanage port -a -t snmp_port_t -p udp 161
Where AuthPass is your SNMPv3 Authorization password and CryptoPass is your SNMPv3 Encryption password.
snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost
If your not using encryption you should be able to drop the “-x des” and “-X CryptoPass” option, and change the “-l” option “authPriv” to “authNoPriv”
log into the Xenserver via SSH, or get a console through XenCenter.
Open up the snmpd.conf file with your favorite text editor, nano, vi etc.
vi /etc/snmp/snmpd.conf
Find the line the following line
com2sec notConfigUser default public
and change the source “default” to the allowed IP ranges and the community “public” to whatever you want your new community string to be.
Example:
com2sec notConfigUser 192.168.1.0/24 privateString
Save, exit and start snmpd
service snmpd start
Add the following line in your iptables config. It needs to be above the COMMIT line.
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m udp -p udp --dport 161 -j ACCEPT
Restart iptables
service iptables restart
You should be good to go.
SSH into the VMware server
ssh root@vmwareserver
Set the auth and priv types
esxcli system snmp set -a MD5 -x AES128
Generate hashes
The hashes are needed to create the user. Replace authpass and privhash to the password you want.
esxcli system snmp hash --auth-hash authpass --priv-hash privhash --raw-secret
Create user
Replace authhash and privhash with the auth and priv hashes returned from the above command.
esxcli system snmp set -e yes -C contact@incredigeek.com -u snmpuser/authhash/privhash/priv
Single line Command
Change authpassword and privpassword to your authentication and private passwords.
authpass="authpassword" && privpass="privpassword" && esxcli system snmp set -a MD5 -x AES128 && esxcli system snmp hash --auth-hash ${authpass} --priv-hash ${privpass} --raw-secret && esxcli system snmp set -e yes -C ${contact} -u snmpuser/${authhash}/${privhash}/priv
View SNMP Configuration
esxcli system snmp get
All the following commands should work on Ubuntu, or just about any other Debian based Linux distro. If you have a firewall on the server, you’ll need to allow UDP on port 161.
Install SNMP
Install snmp, snmpd, and libsnmp.
sudo apt-get -y install snmp snmpd libsnmp-dev
Stop the snmpd service so we can add a user
sudo service snmpd stop
Add SNMP v3 user
sudo net-snmp-config --create-snmpv3-user -ro -A AuthPassword -X CryptoPassword -a MD5 -x AES privUser
Change System Location, System Contact, and allow SNMP on all interfaces
Open up the SNMP config file usually in /etc/snmp/snmpd.conf
vi /etc/snmp/snmpd.conf
Search for “sysLocation” and change to whatever your system location is.
Search for “sysContact” and change it. It should be right underneath sysLocation.
Now allow SNMP on all interfaces. Find the following line and comment it out.
agentAddress udp:127.0.0.1:161
Add a # to the beginning.
#agentAddress udp:127.0.0.1:161
Now find this line (should be a couple lines down from the line you just commented out)
#agentAddress udp:161,udp6:[::1]:161
and uncomment it
agentAddress udp:161,udp6:[::1]:161
That will enable it so you can read the SNMP info using the servers IP address, as opposed to being limited to localhost.
Start the SNMP service and Test
Start the SNMP service
service snmpd start
Test with
snmpwalk -v3 -a MD5 -A AuthPassword -X CryptoPassword -l authNoPriv -u privUser localhost