diff --git a/modules/qualifying/learning_centralized_system_monitoring.md b/modules/qualifying/learning_centralized_system_monitoring.md index 1d55817..ad90075 100644 --- a/modules/qualifying/learning_centralized_system_monitoring.md +++ b/modules/qualifying/learning_centralized_system_monitoring.md @@ -378,3 +378,40 @@ If for some reason you configured your Linux kernel to only do ipv4, you'll need If you restart the service with `sudo systemctl restart snmpd.service` you're client should be contactable by your server! ![success](./assets/cacti_11.png) + +### Securing the connection to the client + +There are different versions of SNMP and it is highly recommended to run *only* the v3. +It offers encryption and authentication for servers who try to connect to clients. +In order to run v3 you need to install additional packages. +The main tool you need to add users is called `net-snmp-create-v3-user` and it can be installed by running the following command `sudo apt install libsnmp-dev`. +Once this command completes you'll have the necessary programs to add user accounts to your snmpd client. +You can only run this program when the snmpd service is stopped. + +``` +➜ ~ git:(master) ✗ sudo net-snmp-create-v3-user +Apparently at least one snmpd demon is already running. +You must stop them in order to use this command. +➜ ~ git:(master) ✗ sudo systemctl stop snmpd.service +➜ ~ git:(master) ✗ sudo net-snmp-create-v3-user +Enter a SNMPv3 user name to create: +student +Enter authentication pass-phrase: +student2021 +Enter encryption pass-phrase: + [press return to reuse the authentication pass-phrase] +student2021 +adding the following line to /var/lib/snmp/snmpd.conf: + createUser student MD5 "student2021" DES student2021 +adding the following line to /usr/share/snmp/snmpd.conf: + rwuser student +➜ ~ git:(master) ✗ sudo systemctl start snmpd.service +``` + +Now we need to change the authentication settings in the web GUI of cacti. +Go to the `Management->devices` list and choose your client. +Change the version to version 3, put in the login and password and you're good to go. +If all of this is working it's time to stop offering version 1 and version 2. +This is again done on the **client** in the `/etc/snmp/snmpd.conf` file. +Locate the line starting with `rocommunity` and comment them out. +Restart the service and now you're only offering v3 connections!