How to Configure SNMP version 3 on Debian 9

0
4463

This guide is about how to configure SNMP version 3 on Debian 9. There are three major versions of SNMP that have so far been developed; version SNMPv1, SNMPv2c and SNMPv3. Both version 2c and 3 have improved feature performance in terms of performance, flexibility and security-wise. Our previous guide covers how to configure SNMP Version 2c on Debian 9.

If you are also looking at configuring SNMP both version 2 and 3 on Ubuntu 18.04 or CentOS 7, check our guide by following the link below;

How to Configure SNMP version 3 on Debian 9

Assuming you have the necessary SNMP packages installed already, proceed to configure SNMP version 3 on Debian 9.  However, if you have not installed the SNMP packages and the required libraries, do so by running the command below;

apt update
apt install snmpd snmp libsnmp-dev

SNMP version 3 focuses mostly on three major security aspects of the communication between SNMP entities. It provides strong authentication, encryption data packets that enhances privacy.

Configure SNMP version 3 on Debian 9

The default SNMP daemon configuration file is /etc/snmp/snmpd.conf. I would recommend that you make a backup of this configuration file before you can proceed to make adjustments to it.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.original

Define the interface IP address from which the server can be reached from remotely. Remember that ny default, SNMP daemon listens in the loopback interface.

vim /etc/snmp/snmpd.conf
...
#  AGENT BEHAVIOUR
#

#  Listen for connections from the local system only
agentAddress  udp:127.0.0.1:161,udp:192.168.43.188:161
...

To configure SNMP version 3 on Debian 9, you need to;

  • Create a username for authentication
  • Set the authentication password
  • Set the encryption password
  • Define the access permissions
  • Define the encryption algorithm

The requirements can be achieved by the use of the net-snmp-create-v3-user command line tool. The syntax of this command is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

Before you can set these requirements, stop the SNMP deamon service.

systemctl stop snmpd

Next, create the username with the above requirements. Note that to enhance security, ensure that you use different passwords for authentication and encryption. The default authentication method used is MD5.

net-snmp-create-v3-user -ro -A SecUREDpass -a SHA -X StRongPASS -x AES snmpreadonly
adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpreadonly SHA "SecUREDpass" AES StRongPASS
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser snmpreadonly

To interactively run the net-snmp-create-v3-user, you would simply run it as;

net-snmp-create-v3-user -x AES -a SHA

Start SNMP daemon and enable it to run on system reboot

systemctl start snmpd
systemctl enable snmpd

Configure firewalling accordingly to ensure that connection to UDP port on the server can be reached from the monitoring host.

You can now verify that all is well. To perform the local verification, run the command below;

snmpwalk -v3 -a SHA -A SecUREDpass -x AES -X StRongPASS -l authPriv -u snmpreadonly localhost | head -10
iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (6984) 0:01:09.84
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1

To perform the verification of the same from the remote monitoring host, run the command below;

snmpwalk -v3 -a SHA -A hacker100 -x AES -X hacker101 -l authPriv -u snmpreadonly 192.168.43.188 | head -10
iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (1436) 0:00:14.36
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1

Well, you nailed it. That is all about how to configure SNMP version 3 on Debian 9. If you are using Nagios SNMP monitoring plugins, check_snmp, check our guide previous on how to poll the requiests with SNMP version 3 by following the link below.

LEAVE A REPLY

Please enter your comment!
Please enter your name here