This is just a small post on how to enable SNMP on a Lastline Advanced Malware Protection appliance in order to query the basic host and network MIBs from an SNMP monitoring server. Note that this is not the preferred method of monitoring a Lastline device. The Product API (PAPI) should be used instead such as shown in the online docs. However, basic SNMP gives access to the CPU, memory, load average and the network interface statistics incl. the anonymous VPN tunnel interface.
Since all Lastline devices are basically a Ubuntu server, the basic setup for SNMP is quite similar to my tutorial for a generic Linux. The only step missing there is the allow statement for the Uncomplicated Firewall (ufw).
The basic steps are the following. Install the snmpd package and verify that it is running:
sudo apt-get update sudo apt-get install snmpd snmp monitoring@jw-lastline01:~$ sudo netstat -tulpen | grep snmp udp 0 0 0.0.0.0:39103 0.0.0.0:* 0 229940943 3833/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 0 229940944 3833/snmpd
Note that the snmpd is only listening on the localhost (127.0.0.1) IPv4 address so far. Change the following settings within the conf file in order to listen on any IPv4 address and to be able to read out everything with the configured community string:
sudo nano /etc/snmp/snmpd.conf agentAddress udp:161 rocommunity THISISTHEKEY 192.168.0.0/16 sudo service snmpd restart monitoring@jw-lastline01:~$ sudo netstat -tulpen | grep snmp udp 0 0 0.0.0.0:161 0.0.0.0:* 0 230009702 22622/snmpd udp 0 0 0.0.0.0:33882 0.0.0.0:* 0 230009701 22622/snmpd
Now, the daemon is listening on every local IPv4 address (0.0.0.0).
The Lastline Ubuntu image uses an uncomplicated firewall (ufw) whose policy looks like that:
monitoring@jw-lastline01:~$ sudo ufw status Status: active To Action From -- ------ ---- 10025/tcp ALLOW Anywhere 123/udp ALLOW Anywhere 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 1194/udp ALLOW Anywhere 443/tcp ALLOW Anywhere Anywhere ALLOW 198.19.0.0/16
That is: SNMP is not yet permitted. To allow it, simply add the following rule via:
monitoring@jw-lastline01:~$ sudo ufw allow snmp Rule added monitoring@jw-lastline01:~$ sudo ufw status Status: active To Action From -- ------ ---- 10025/tcp ALLOW Anywhere 123/udp ALLOW Anywhere 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 1194/udp ALLOW Anywhere 443/tcp ALLOW Anywhere Anywhere ALLOW 198.19.0.0/16 161 ALLOW Anywhere
A basic try with snmpwalk on the machine itself looks like this:
monitoring@jw-lastline01:~$ snmpwalk -v 2c -c THISISTHEKEY 192.168.120.20 .1.3.6 iso.3.6.1.2.1.1.1.0 = STRING: "Linux jw-lastline01 3.13.0-100-generic #147~precise1-Ubuntu SMP Wed Oct 19 00:06:40 UTC 2016 x86_64" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (979) 0:00:09.79 iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>" iso.3.6.1.2.1.1.5.0 = STRING: "jw-lastline01" iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay" iso.3.6.1.2.1.1.7.0 = INTEGER: 72 ^C
Now use your SNMP monitoring software such as I am using MRTG with Routers2 (old but stable) such as shown here. To my mind, at least the interface statistics for the anonymous VPN tunnels (llanonvpn0 and llanonvpn1) are interesting because you don’t see them in the GUI under Appliance -> Metrics. Here are some sample graphs from my Lastline pinbox in the monthly view:
Cheers.
Featured image: “Dell” by Craig Rodway is licensed under CC BY-NC-ND 2.0.