Tunneling SNMP over SSH or UDP over SSH - Solution



Greetings,

I wanted to share this information in a place where it would be easily
accessible for others to benefit from. There is hinting about this
particular subject all over the web, but not very much actual data,
particularly if you are searching for SNMP over SSH. It is debatable
whether SNMPv3 needs a tunnel anymore, but in my case SSH was the only
means I had to access my SNMP data source, so I was forced to come up
with a solution.

This solution:
http://zarb.org/~gc/html/udp-in-ssh-tunneling.html

Worked, but it would break after running snmpwalk a few times, and it
was unclear why it was having problems.

Instead I turned to socat, and found it has worked flawlessly for
several days nows.

There were 3 machines involved in this transaction (actually the proxy
machine could be combined with the SNMP consumer if you wish, but then
you must alias localhost or something).
A. proxy machine (locally accessible from the consumer)
B. snmp consumer (where we run snmpwalk, nagios, zenoss or whatever)
C. snmp producer (machine remote from proxy and consumer, where
net-snmp serves up useful SNMP data)

1. SSH from proxy machine to snmp producer and forward a TCP port
ssh producer -L 6004:localhost:6004
2. Start TCP to UDP socat on producer
socat -d -d -d -lffoo.log TCP4-LISTEN:6004,fork UDP4:localhost:161
(the -ds and -lf are optional, and provide great logging information)
3. Start UDP to TCP socat on proxy
socat -d -d -d -lffoo.log UDP4-LISTEN:161,fork TCP:localhost:6004
(the -ds and -lf are optional, and provide great logging information)
4. run snmpwalk on the consumer
snmpwalk -v1 -c public proxy system
(where proxy is a locally accessible machine)

I think that is all correct. If I made a mistake, please bug me about
it. Thanks to all the developers of openssh and particularly to
Gerhard Rieger, the developer of socat.

JHolder

.



Relevant Pages

  • Re: Proxy Forwarder apps RFC ?
    ... there is a new security model being developed ... So how would you make SNMP proxy better, ... > poor understanding of SNMP proxies. ...
    (comp.protocols.snmp)
  • Re: RPAT - Realtime Proxy Abuse Triangulation
    ... >> illegal activity in some jurisdictions. ... Most SNMP offers ... whether a relay, proxy or anonymous FTP server. ... It is impossible to be charged with breaking and entering when there's no ...
    (Incidents)
  • RE: SNMP security
    ... Subject: SNMP security ... True, but only if you're running a firewall that supports a SNMP proxy, ...
    (Security-Basics)
  • Re: RFC: adding proxy nodes to provider ports (with patch)
    ... Insert the proxy in the middle of any provider-consumer pair: ... as we hook into the provider whereas you hook into the consumer. ...
    (freebsd-arch)