一、安装 SNMP 服务🐳

1、安装 SNMP 服务及工具

1
[root@compute ~]# yum -y install net-snmp net-snmp-utils -y

2、查看版本号

1
2
3
4
5
[root@compute ~]# snmpd -v

NET-SNMP version:  5.7.2
Web:               http://www.net-snmp.org/
Email:             net-snmp-coders@lists.sourceforge.net

二、修改 SNMP Trap 配置文件🐬

1、SNMP V2 Trap 配置文件修改

(1)修改配置文件

在配置文件/etc/snmp/snmpd.conf中修改community内容

1
2
3
4
5
6
7
8
vi /etc/snmp/snmpd.conf
...
####
# First, map the community name "public" into a "security name"

#       sec.name  source          community
com2sec notConfigUser  default       public
...

将上面的 public 团体名根据实际情况进行修改,修改完成如下所示:

1
2
#       sec.name  source          community
com2sec notConfigUser  default       Ad123min

(2)重启服务

1
2
3
4
5
# 启动 SNMP 服务
[root@compute ~]# systemctl start snmpd.service 
# 开机启动 SNMP 服务
[root@compute ~]# systemctl enable snmpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/snmpd.service to /usr/lib/systemd/system/snmpd.service.

2、SNMP V3 Trap 配置文件修改

(1)修改配置文件

修改配置文件/etc/snmp/snmptrapd.conf,在配置文件末尾追加一行,内容格式如下:

1
2
3
4
5
6
7
8
createUser -e engineID myuser SHA "my authentication pass" AES "my encryption pass"

# engineID 将要发送trap的应用程序的EngineID
# myuser 将要发送trap的USM用户名
# SHA  身份验证类型(SHA或MD5,其中SHA更好)
# my authentication pass 用于生成机密身份验证密钥的身份验证密码短语。如果包含空格,请用引号将其括起来
# AES 要使用的加密类型(AES或DES,AES更好)
# my encryption pass 用于生成机密加密密钥的加密密码短语。如果包含空格,请用引号将其括起来。如果您将其禁用,它将设置为与身份验证密码相同的密码短语。

示例:

1
2
3
4
5
6
7
8
vim /etc/snmp/snmptrapd.conf
# Example configuration file for snmptrapd
#
# No traps are handled by default, you must edit this file!
#
# authCommunity   log,execute,net public
# traphandle SNMPv2-MIB::coldStart    /usr/bin/bin/my_great_script cold
createUser Ad123min SHA "Ad123min" AES "Ad123min"

(2)重启服务

1
2
3
4
5
# 启动 SNMP 服务
[root@compute ~]# systemctl start snmpd.service 
# 开机启动 SNMP 服务
[root@compute ~]# systemctl enable snmpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/snmpd.service to /usr/lib/systemd/system/snmpd.service.

三、放通防火墙策略🐠

1、放通 udp 162 端口

(1)查看防火墙状态,如下所示,防火墙未启动,所以不用放通策略。之后的步骤全部省略。

1
2
[root@compute ~]# firewall-cmd --state
not running

(2)查看防火墙状态,如下所示,防火墙正在运行,所以需要放通策略。

1
2
[root@compute ~]# firewall-cmd --state
running

(3)显示所有公共区域

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@compute ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

(4)修改配置文件

修改配置文件 /etc/firewalld/zones/public.xml ,增加内容 <port protocol="udp" port="161"/>

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <port protocol="udp" port="161"/>
  <service name="dhcpv6-client"/>
</zone>

(5)重启防火墙服务

1
[root@compute ~]# systemctl restart firewalld.service

(6)重启 SNMP 服务

1
[root@compute ~]# systemctl restart snmpd.service