Helpful Information

Infrastructure Notes

In this lab we are going to configure SNMP services on fw01, web01, and ad01. We are going to configure a network monitoring system called nmon01, where we will query our systems for SNMP properties.

SNMP ---> Simple Network Management Protocol is a protocol for managing and monitoring networked devices. Net admins can monitor devices such as, routers, switches, servers, printers, etc. SNMP is essential for network management and monitoring. The most widely used version of SNMP is version 3 since its the most secure. Version 1 and 2 are not very secure, but some systems still use them so we cannot get rid of them.

SNMP operates by using a client-server model, where the managed devices (servers, routers, etc.) are the servers, and the management systems (network management software) are the clients. The protocol allows the management systems to retrieve information from the managed devices, as well as to send configuration changes and control commands to them.

Key SNMP Components: --->

• Managed devices
  • These are devices on the network that are monitored and controlled using SNMP. They have SNMP agents installed to collect and store information about the device.
• SNMP Agents
  • Software modules within managed devices that collect and store information about the devices statis and activities.
  • They respond to SNMP queries from management systems and can also send alerts or notifications when predefined thresholds are reached.
• Management systems/SNMP manager:
  • These are systems or software applications responsible for monitoring and managing the network. They communicate with SNMP agents on managed devices to retrieve information or send commands.

Management Information Base (MIB) --->

SNMP uses a hierarchical structure called a Management Information Base (MIB) to organize and represent the information collected from managed devices. The MIB is a database that defines the structure and organization of the data accessible through SNMP.

Lab Pre-requisites

Configure web01-hannelore

• Connect to the LAN
• disable remote root ssh access within the PermitRootLogin no flag in /etc/ssh/sshd_config file with command sudo nano /etc/ssh/sshd_config
• restart sshd
• useradd hannelore
• passwd hannelore
• usermod -aG wheel hannelore
• change hostname and IP in nmtui

• add web01-hannelore to the DNS manager

TROUBLESHOOTING: This is fairly random, but I wanted to ping ad01 from workstation because I could not remember if that was the box that required me to turn off the firewall or not. So I went to turn it off and It prompted me for admin credentials, everything I put in did not work. so I did the command below to view the admin accounts:

I did it with Administrator with the pw of 4Hannelore and it worked, but I was not able to do it with any of my other admin accounts.

Configure fw01's SNMP Service

Enable SNMP Services on pfsense

• Go to services
• SNMP
• Enable the SNMP Daemon and its controls

MAKE SURE TO SAVE AT THE BOTTOM

Restart the SNMP service

I created a user in fw01-hannelore so that I could ssh into the system. Turns out I do not need to do this, ssh is just disabled so if I wanted to I could go turn it on and use the vm like a normal freeBSD box, but I don't need to for these lab purposes.

Configure nmon01-hannelore

• Connect to the LAN
• disable remote root ssh access within the PermitRootLogin no flag in /etc/ssh/sshd_config file with command sudo nano /etc/ssh/sshd_config
• restart sshd
• useradd hannelore
• passwd hannelore
• usermod -aG wheel hannelore
• change hostname and IP in nmtui

• add nmon01-hannelore to the DNS manager

Install and test SNMP Client on nmon01

• SSH into hannelore@nmon01-hannelore
• sudo yum install net-snmp-utils

Deliverable 1. Take a screenshot of the output that shows some of the SNMP values from fw01

• nslookup fw01-hannelore
• snmpwalk -Os -c SYS265 -v2c fw01-hannelore system

Install SNMPD (a SNMP Server) on web01-hannelore

• ssh to web01-hannelore

TROUBLESHOOTING: I kept not being able to SSH into web01 and nmon01 without going back into the box and checking the nmtui. To fix this I had to set the IP settings to manual instead of automatic since the automatic IP address just kept overiding the ones I put in.

Install SNMPD (a SNMP Server) on web01

By now you should be remotely managing your Linux systems from MGMT01 via PuTTY or Powershell/SSH and a named sudo account.

• Install with sudo yum install net-snmp-utils net-snmp

The default snmp configuration does not suit our purpose. Make a backup copy of /etc/snmp/snmpd.conf and create a new/blank version

• cp snmpd.conf snmpdBackUp.conf

Edit your new snmpd.conf to reflect the following 4 lines:

• `com2sec my Network 10.0.5.0/24 SYS265
• `group myROGroup v2c myNetwork
• view all included .1 80
• access myROGroup "" any noauth exact all none none

VIM helpful commands

• gg brings you to the top of the document
• Press lowercase d and then hold down shift to get uppercase G, to delete all the lines in the file.

enable and start the snmpd service

• systemctl enable snmpd
• systemctl start snmpd

check the status of the snmpd service and debug any errors

• systemctl status snmpd

allow port 161/udp or the snmp service through the firewall permanently

• firewall-cmd --permanent --add-port=161/udp
• firewall-cmd --reload
• firewall-cmd --query-port=161/udp

Deliverable 2. Provide the output from the following command run on nmon01

• ssh to nmon01-hannelore
• query web01-hannelore with snmpwalk -Os -c SYS265 -v2c web01-hannelore system

Install SNMP Service on AD01

Figure out how to install the SNMP Service Feature on AD01 using Server Manager on MGMT

• Go to server manager
• All Servers (make sure the ad server is there)
• left click --> Add roles and features

• add SNMP service feature

Install SNMP Tools on MGMT01

Figure out how to install the SNMP-Tools Remote Administration Feature on MGMT01-hanne

• Go to server manager
• Go to add roles and features (for mgmt01-hanne)
• Go to features
• Go to Remote Server Administration Tools
  • Feature Administration Tools
  • SNMP Tools

Enable Remote Management on AD01

Remote Computer Management does not work immediately for our remote AD01 Server due to firewall restrictions as seen in the error message.

We will fix this by invoking a remote PowerShell session with AD01 from mgmt01. Figure out how to do that.

• click on ad01 and go to Windows PowerShell

Change the firewall rules by enabling the "Remote Event Log Management" Firewall group

When we do computer management from ad01-hannelore we get an error and in order to get rid of that error we must enable the settings on ad01 via powershell.

• Set-NetFirewallRule -DisplayGroup "Remote Event Log Managemet" -Enable True

The error when clicking on Computer Management should have gone away now.

SNMP Service Security Properties on AD01

Adjust the SNMP service properties on AD01 to add the SYS265 community string and

limit queries to those from nmon01

• go to services and applications
  • services
  • SNMP service

• SNMP Service Properties
• Add Accepted Community name

• Accept SNMP Packets from nmon01-hannelore

• Restart the SNMP Service on ad01

Query AD01 from nmon01

From nmon01, find out how much snmp information is available. In this case, 11843 lines were returned from the SNMP query to ad01.

• snmpwalk -Os -c SYS265 -v2c ad01-hannelore | wc -l
  • You'll see that 12023 lines were retuned

Deliverable 3. Provide the output of the SNMP system values on ad01 with the following command:

• snmpwalk -Os -c SYS265 -v2c ad01-hannelore system

Capturing SNMP packets nmon01-hannelore ---> web01-hannelore

On web01-hannelore, run tcpdump listening to your primary interface, port 161 (udp/tcp), capturing 10 packets and dumping the packets in ASCII format.

Deliverable 4. Provide a screenshot from the tcpdump session on web01 that shows the clear text community string. Remember, anyone in a position to grab packets between nmon01 and the target can see this string.

• sudo tcpdump -i ens192 port 161 -c10 -AAA

Deliverable 5: Additional Research

TCP DUMP

A packet analyzer that allows you to capture and display network traffic on a system. It's an helpful tool for networking troubleshooting, monitoring and analysis, and it can capture both incoming and outgoing packets.

Output

• displays information about captured packets including:
  • source/destination IP addresses
  • protocol
  • packet size
  • timestamp

Common Options

• -i
  • used for specifying the network interface
• -n
  • used for displaying numerical addresses instead of resolving hostnames
• -c
  • used for limiting the number of packets to capture

Sources:

• https://opensource.com/article/18/10/introduction-tcpdump
• https://www.techtarget.com/searchnetworking/tutorial/How-to-capture-and-analyze-traffic-with-tcpdum
• https://www.ibm.com/docs/en/aix/7.1?topic=t-tcpdump-command

---

Community String

Community strings are used in SNMP to authenticate and control access to information on a network device, such as a router or switch.

The community string acts as a basic form of authentication between the SNMP manager (the device making SNMP requests), and the SNMP agent (the device being monitored). It functions like a password, allowing the SNMP manager to access information on the SNMP agent.

Read-Only Community Strings (RO)

• String the provides read-only access to the SNMP agent.
• Allows SNMP manager to retrieve information and monitor the device's status, but does not permit making changes to the device's configuration.

Read-Write Configuration (RW)

• String that provides read and write access to the SNMP agent
• In addition to retrieving information, the SNMP manager with the read-write community strong can also modify the device's configuration settings.

Source:

• https://www.paessler.com/whatisansnmpcommunitystring#:~:text=The%20%E2%80%9CSNMP%20community%20string%E2%80%9D%20is,along%20with%20an%20encryption%20key.

---

SNMP Versions 1, 2 and 3

Version 1

• Released 1988
• Operates over UDP and uses community strings for authentication
• Main drawback - lack of security features
  • Communication between devices is in clear text
  • no support for encryption or strong authentication

Version 2

• Release year: 1993
• Includes additional protocol operations and enhancements in the structure of management information
• Has 2 versions
  • SNMPv2c (community-based) ---> More widely adopted
  • SNMPv2u (university)
  • still lacked proper security features

Version 3

• Release year: 1998
• Most recent/widely adopted version of SNMP
• Includes ---> message integrity, authentication, and encryption of SNMP packets
• Has security models, security levels, and the use of usernames/passwords instead of community strings
• Most secure version.

While SNMPv1 and SNMPv2 are still in use, SNMPv3 is recommended for environments where security is a significant concern. SNMPv3 provides better authentication and encryption mechanisms, making it more suitable for modern network management practices.

Source:

• https://www.dpstele.com/snmp/v1-v2c-v3-difference.php#:~:text=V1%2C%20v2c%2C%20and%20v3%20are,monitoring%20equipment%20that%20supports%20SNMP.