November 26, 2012
I should thank Charles for some of his SNMP posts, they prod me to do more with the subject.
His latest one is again, solid, and you should read it, it can make enabling and configuring SNMP much easier.
However, he leaves off configuring SNMPv3, which is a shame, because that's a much more secure way to use SNMP, and understandable, because it's a bit TOO obscure at times. However, it is a pretty easy setup, although you have to run it on the target machine. The configuration itself can be one line:
sudo net-snmp-config --create-snmpv3-user -a authpass -x privpass -X DES|AES -A MD5|SHA username
- authpass is the authentication passphrase
- privpass is the encryption passphrase
- -X is the encryption mechanism
- -A is the auth mechanism
A caveat: SNMP implementations tend to be ignored once coded. So, if all your devices are set to only support MD5, and you want to use SHA, well, you may be more secure, but you won't be able to use SNMPv3 with that device. Sometimes, you may have to use the less-secure, better-supported option. (Then of course, make sure your vendor knows why this is a bad thing.)
Now, implementing this as a script is easy, but insecure, as you're embedding passphrases. There is an interactive option, just don't include the passphrases in the command. You can still specify the auth and encryption mechanisms. But then you give up automated setup, but I leave it to readers to decide what is "right" for them.
What I recommend doing is first pushing out the snmpd.conf file, then configuring SNMPv3, as it adds an entry to the snmpd.conf file to enable SNMPv3 support. Also, snmpd can't be running when you configure SNMPv3, or the command will fail.
Finally, in recent versions of the Mac OS, there's also a /etc/snmp/ directory that snmpd can use for config files. I still go with the traditional /usr/share/snmp location myself, for better cross-platform compliance, but, if you're only on (Mac) OS X, you can use /etc/snmp instead.| Comments ()
November 21, 2012
A Roller Derby Fanboy Post
What it looks like when people try to block Low Maim:
all images copyright 1980 or so, lucasarts, now disney. Please don't kill me guys, this just works so well.| Comments ()
November 12, 2012
A companion post to a 318 post
Normally, I'd leave this as a comment, but wordpress is unhappy with logins or something.
So in this article, Charles talks about using SNMP to get network information for JAMF's Casper software, via shell scripting. (By the way JAMF guys: an SNMP console with a good UI would be a FANTASTIC addition to Casper. Most SNMP consoles kind of suck, UI-wise.)
First, nothing Charles talks about is incorrect, but it is somewhat inefficient, in terms of SNMP. It could be done better. So let's look at that.
The value that Charles is using in his example is uptime, which is part of the base SNMP support that you see in any device that supports SNMP. I've been beating on SNMP for years now, I've never seen anything that doesn't support sysUpTime. So, we can make some assumptions once we know the OID we need to query. As Charles recommends, we use snmpwalk for this. (A minor quibble: Charles queries using SNMP v1. In general, you should use version 2c if you aren't in an SNMP 3 environment. 2c is almost ubiquitous, and has larger counters, something of import for things like uptime. There are some v1 - only devices out there, but they're rare enough that assuming 2c until proven wrong is acceptable.)
So we'll do a quick snmpwalk to generate the OID values we need. To get this, we do two runs. The first returns the generic MIB descriptions, the second gives us the numerical OID values. (Note: if all this OID and MIB stuff is confusing, I have a long, but complete SNMP primer. If you are new to SNMP, you should read that first.)
The first command:
snmpwalk -v 2c -c public -m ALL localhost .1|more
This tells snmpwalk to query a v 2c device with a public community string of "public", using all available MIBs. The device its targeting in this case is itself, and it should start at the beginning of the OID tree, aka ".1". I pipe it to more, because running snmpwalk against a full MIB tree can crash snmpd, and in any case, what we're looking for is in the first page returned. The result we get is:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (38246285) 4 days, 10:14:22.85 (this is on an Xserve)
So now that we know what we're looking for, let's re-run snmpwalk, only with the -On option, which gives us the numerical OID value for sysUpTime.
The second command: snmpwalk -v 2c -c public -m ALL -On localhost .1|more
This gives us the numerical OID value for sysUpTime:
.184.108.40.206.220.127.116.11.0 = Timeticks: (38248082) 4 days, 10:14:40.82
The nice thing about this particular value is that it's the same for an Xserve, an AEBS, or really, anything with even basic SNMP support. So now, instead of having to walk the SNMP tree, then parse out the one value you care about, then use that result, we can use snmpget to show us the result we want:
snmpget -v 2c -c public localhost .18.104.22.168.22.214.171.124.0
Which gives us:
SNMPv2-MIB::sysUpTime.0 = Timeticks: (38340865) 4 days, 10:30:08.65
However, that still leaves us a lot of data we don't care about, like the MIB identifier bit. We KNOW that, so we don't need it back. Therefore, we use the -Ov output option which prints values only, not the OID = value format:
snmpget -v 2c -c public -Ov localhost .126.96.36.199.188.8.131.52.0
Timeticks: (38348581) 4 days, 10:31:25.81
So that's a bit easier to parse, or at least less data to parse, and we don't have to deal with the overhead of snmpwalk. Actually, you can substitute snmpget for snmpwalk pretty easily in Charles' script. Change:
if [ "$COMPUTERNAME" = "$SERVER" ] ; then
UPTIME=$( snmpwalk -v1 -c public -M /usr/share/snmp/mibs \
-m AIRPORT-BASESTATION-3-MIB $AIRPORTIP | grep sysUpTime | cut -d \) -f 2 )
if [ "$COMPUTERNAME" = "$SERVER" ] ; then
UPTIME=$( snmpget -v 2c -c public $AIRPORTIP .184.108.40.206.220.127.116.11.0 | cut -d \) -f 2 )
(the mibs switches are somewhat unnecessary for snmpget. We know what we're going after, we don't need it explained to us. In general, MIBs are there to help the humans, they're not really needed for SNMP in and of itself.)
As a rule, when dealing with SNMP, try to only use snmpwalk to acquire info on the OID(s) you really want to use. For actual regular command use, snmpget and snmptable are better choices. Also, play a bit with the -O options in the SNMP command set. It can really help you narrow down the output so you don't have as much work to do.| Comments ()
November 11, 2012
If you want to really thank veterans
Do so with your vote. If a candidate only supports veterans three days a year and during their campaign, but then votes to cut or de-fund veteran's benefits because "we can't afford that right now", don't vote for them. If a candidate who has never served, nor anyone in their immediate family served, but is all to eager and willing to go to war, don't vote for them. In fact, any candidate who talks of sending military people into harms way as anything but an absolute last resort? Don't vote for that person.
If you want to thank combat veterans, do so by making them the last of their kind.
The "we can't afford it" argument makes me want to vomit. You are talking about people who will never walk unaided, who are missing limbs, or in some cases, significant parts of their brains. They are people who will never be who or what they were, who took the risks they did, and will suffer from their injuries for the rest of their lives. Their families will never have back the person they sent off to boot camp, or who came back for an all-too-short leave before that final deployment.
In a sense, the ones who gave their lives have it easier, as do their families. Their suffering has ended, and their families, while never fully getting over that loss, will never have to spend every day comparing who their loved one is, to what they were, and hating themselves for it.
"We can't afford those benefits"?
If a government has anything close to a 'sacred' duty, it is the duty of caring for the men and women who went away whole, and came back less than whole, because that government wasn't wise or smart enough to solve their problems better.
You want to thank vets?
"Thank you" is only the beginning.| Comments ()
November 7, 2012
Yet another reason I hate google
The way they pretend to support non-browser clients for services, then relentlessly fuck with you and punish you for taking them up on it. You thought you sent that mail from Apple Mail, Outlook, <IMAP CLIENT>?
Fuck that. You'll use the browser or we'll make your life hell.
Microsoft may charge though the nose, but they don't do that. Fuck Google and everything they make. Also, with the exception of their home page, they've never once created a UI that didn't suck, and their domain admin tools are pure shit. That last one will get a lot of special attention later on.| Comments ()