For most common Linux-based application and devices, enabling the SNMP background service is an essential step to configuring your host for monitoring. The goal of this page is to provide you with a general understanding of how to configure SNMP on your Linux host and troubleshoot issues that may relate to IPtables blocking either of these protocols from working to the utmost potential. Depending on your configuration, additional adjustments may be necessary.
To ensure that you have sufficient permission, you should become root or use the sudo command for the following configuration steps.
- Edit your /etc/snmp/snmpd.conf file to declare your read-only community string (think of it as a password). It is recommended that you replace your entire /etc/snmp/snmpd.conf with the simple version below. Be sure to replace “$CommunityString” with the community string you are using:
rocommunity $CommunityString <10.0.0.0/8>
2. You may either replace the entire text file or you can prepend the above line to the top of the file. It is recommended that you backup your existing file:
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.old
3. The IP range is optional. If set, only hosts within that network/mask combination will be able to query snmpd, so ensure it contains the IP address of the LogicMonitor collector(s) that will monitor this Linux device. You can enable all addresses by omitting the IP.
4. If you are running Dell hardware you will also want to include these lines in snmpd.conf so the underlying hardware can be monitored via the Dell OpenManage suite of packages:
smuxsocket 127.0.0.1 smuxpeer .126.96.36.199.4.1.674.10892.1
5. After updating the snmpd.conf file, set snmpd to start on boot and start it now:
chkconfig snmpd on service snmpd restart
For instructions specific to the Linux distribution you are using, see the RedHat/CentOS and Debian/Ubuntu sections below.
- Install the RPM
yum install net-snmp
2. Optionally, you can install snmpwalk and other tools that can be useful for troubleshooting:
yum install net-snmp-utils
3. Move the default config file and keep it as backup:
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.original
4. Define an snmp community in a new config file:
echo "rocommunity notpublic" > /etc/snmp/snmpd.conf
Note the following:
If you are using sudo, the command may look like:
sudo sh -c "echo 'rocommunity notpublic' > /etc/snmp/snmpd.conf"
Optionally, you can include an IP address or a range of IP addresses to restrict which IP addresses can connect to your system via SNMP. To do this, add the IP address after the community string in the command above:
echo "rocommunity notpublic 10.9.8.0/24" > /etc/snmp/snmpd.conf
5. Start the daemon, and set it to start on server boot. For RedHat/CentOS 7.0 you can use the following commands:
systemctl restart snmpd.service systemctl enable snmpd.service
For older versions of RedHat/CentOS, use the following commands:
/etc/init.d/snmpd restart chkconfig snmpd on
- Install the snmpd package
apt-get install snmpd
2. Back up the original snmpd.conf file
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.org
3. Create a new snmpd.conf file, replacing “logicmonitor” with the community string that you are using.
echo "rocommunity logicmonitor" > /etc/snmp/snmpd.conf
4. Edit the snmpd file.
5. Comment out the following line (or similar):
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -p /var/run/snmpd.pid'
6. Add the following line below the link you commented out:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'
7. If you are running iptables, make the following exception, replacing “10.1.1.10” with the IP of your collector machine:
iptables -A INPUT -p udp -s 10.1.1.10 --dport 161 -j ACCEPT
8. Save and close the file.
9. Depending on your environment, execute one of the following sets of commands to restart snmpd and set it to start on server boot:
systemctl restart snmpd systemctl enable snmpd
service snmpd start chkconfig snmpd on
Adding Firewall Rules
The following procedures detail how to allow both SNMP and NTP access for Linux devices.
Adding Firewall Rules Using iptables
- Access the command shell of the Linux host (via ssh or from the console).
- Open the file/etc/sysconfig/iptables in an editor.
- After the line matching similar to “-A RH-Firewall-1-INPUT –p udp –dport 5353”, add the following lines to the INPUT section:
-A RH-Firewall-1-INPUT -p udp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 123 -j ACCEPT
4. Save and close the file.
5. Restart the firewall service using the following command:
service iptables restart
Adding Firewall Rules Using firewalld
Use the following commands to add firewall rules using firewalld:
firewall-cmd --permanent --add-port=161/udp firewall-cmd --permanent --add-service=ntp firewall-cmd --reload firewall-cmd --permanent --list-all