Configuring snmpv3 in Linux

We have all used snmp for many years to help monitor our systems and networks but most admins have been reluctant to migrate to v3 due to the perceived increase in complexity. This post will show you how to quickly and easily enable snmpv3 on your linux system to take advantage of the additional security features to support authentication and privacy.

Install software packages

# yum install net-snmp net-snmp-utils

Create snmpv3 user

Setup a read-only snmp user on your system. You can use the –create-snmpv3-user flag from the net-snmp-config command or just call the net-snmp-create-v3-user script directly. For more detail, review the manpages net-snmp-config(1) and net-snmp-create-v3-user(1).

# net-snmp-create-v3-user -ro -A S3cretPassword -a SHA -X EncryptPass -x AES snmpuser
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser snmpuser SHA "S3cretPassword" AES EncryptPass
adding the following line to /etc/snmp/snmpd.conf:
rouser snmpuser

The read-only user is placed in the traditional /etc/snmp/snmpd.conf file and the key is stored in /var/lib/net-snmp/snmpd.conf. This file should not be edited directly. For dealing with more granular access to specific mibs, review Access Control and VACM. Here is a brief description of the flags used to create the user.

-ro          gives user read-only permissions
-A           specifies the authentication password
-a MD5|SHA   the password hashing algorithm
-X           specifies the encryption password
-x DES|AES   specifies the encryption algorithm

There are a couple of things to keep in mind. The minimum passphrase length needs to be at least 8 characters and SHA authentication and DES/AES privacy will require that you have installed OpenSSL.

Enable and Start Service

# systemctl enable snmpd
# systemctl start snmpd

Configure Firewall

You will need to allow 161/udp access through your firewall. Of course, this can be added to the default public zone but I prefer to setup a separate zone, which will allow for more flexibility when granting remote access.

# firewall-cmd --new-zone=snmp-access --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --get-zones
block dmz drop external home internal public snmp-access trusted work

Allow access to the snmp service from a specific range. In this example, I have a server farm within a dedicated /24.

# firewall-cmd --zone=snmp-access --add-source=10.10.10.0/24 --permanent
success
# firewall-cmd --zone=snmp-access --add-service snmp --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --zone=snmp-access --list-all
snmp-access (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 10.10.10.0/24
services: snmp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Verify from remote Client

Check access to our server, 10.10.10.10, from a client connection using a few sample snmpget and snmpwalk commands.

Get system Name
# snmpwalk -v3 -u snmpuser -l authPriv -a SHA -A S3cretPassword -x AES -X EncryptPass 10.10.10.10 sysName.0
SNMPv2-MIB::sysName.0 = STRING: sysmon.networklogician.com

Get system Uptime
# snmpget -v3 -u snmpuser -l authPriv -a SHA -A S3cretPassword -x AES -X EncryptPass 10.10.10.10 system.sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (18681) 0:03:06.81

Check interface speed
# snmpwalk -v3 -u snmpuser -l authPriv -a SHA -A S3cretPassword -x AES -X EncryptPass 10.10.10.10 ifSpeed
IF-MIB::ifSpeed.1 = Gauge32: 10000000
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 0

Get 5 minute CPU load average
# snmpget -v3 -u snmpuser -l authPriv -a SHA -A S3cretPassword -x AES -X EncryptPass 10.10.10.10 .1.3.6.1.4.1.2021.10.1.3.2
UCD-SNMP-MIB::laLoad.2 = STRING: 0.25

Show total swap space
# snmpget -v3 -u snmpuser -l authPriv -a SHA -A S3cretPassword -x AES -X EncryptPass 10.10.10.10 .1.3.6.1.4.1.2021.4.3.0
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 6713340 kB

The only new flag specified in the queries is ‘-l authPriv’. The authPriv security level provides authentication and integrity based off SHA and encryption based off AES. The default is AES-128 if not specified. Other options are noAuthNoPriv and authNoPriv but are not recommended.

Final thoughts

It is assumed that you will be monitoring systems from a server running something like Nagios or Zabbix and not from the command line. Entering passwords at the command line should be avoided as they may be inadvertently stored in a history file. Instead, a ~/.snmp/snmp.conf file containing the passwords should be setup so that queries can be made without typing the credentials.

# cat .snmp/snmp.conf 
defVersion 3
defSecurityLevel authPriv
defSecurityName snmpuser
defAuthType SHA
defPrivType AES
defAuthPassphrase S3cretPassword
defPrivPassphrase EncryptPass

# snmpget 10.10.10.10 system.sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (18681) 0:03:06.81

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s