So apparently SNMP should be secured. Disable write access if you don’t need it, and use SNMPv3 instead of the other versions.
I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way.
Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain’t broke, let’s secure it.
Ideally, I’d configure it similar to the ProCurve switches, so that I can monitor it the same with Cacti and Spiceworks. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is painfully unclear:
auth-sha-key sha-des-keys — Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key
(LSB). If authentication is only required, 20 bytes should be entered; if authentication and
privacy are required, 36 bytes should be entered. Each byte in the hexadecimal character
string is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)
In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven’t the slightest idea how to make a key.
After a few hours of head scratching, here’s what I did.
- CLI access to your switch
- A linux machine. I’m using Ubuntu Server.
Log into your switch and type:
enable show snmp engine id
It’ll spit out an engineID. Make note of that ID.
On your linux machine, you’ll need to install the snmpkey utility. I did it with the following:
sudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perl
Then, run the following command to generate the mysterious keys:
snmpkey sha <auth_password> <engine_id> des <priv_password>
It should return an authKey and a privKey.
Back on your switch, move up to the config mode (type enable and config), then create a SNMPv3 group:
snmp-server group operatorauth v3 priv
Then create the user and assigned it to that group:
snmp-server user snmpuser operatorauth auth-sha-key <authKey><privKey>
Make sure there’s no space between the authKey and the privKey. This will create a user named snmpuser. And you’re done!
If you’ve got snmpwalk installed on your linux server, test the connection with:
snmpwalk -v 3 -a SHA -A <auth_password> -u snmpuser -l authPriv -x DES -X <priv_password> <ip_of_switch>
With any luck, you should see a stream of OIDs.
If anyone has a smarter way to generate the keys, please let me know in the comments!