How to Configure SNMP version 3 on Debian 9

|

Last Updated: March 11, 2024

|

HowTos, Monitoring, SNMP

|

Leave a Comment

This guide is about how to configure SNMP version 3 on Debian 9. There are three major versions of SNMP that have so far been developed; version SNMPv1, SNMPv2c and SNMPv3. Both version 2c and 3 have improved feature performance in terms of performance, flexibility and security-wise. Our previous guide covers how to configure SNMP Version 2c on Debian 9.

If you are also looking at configuring SNMP both version 2 and 3 on Ubuntu 18.04 or CentOS 7, check our guide by following the link below;

Install and Configure SNMP on Ubuntu 18.04 and CentOS 7

Configuring SNMP version 3 on Debian 9

Assuming you have the necessary SNMP packages installed already, proceed to configure SNMP version 3 on Debian 9. However, if you have not installed the SNMP packages and the required libraries, do so by running the command below;

apt update

apt install snmpd snmp libsnmp-dev

SNMP version 3 focuses mostly on three major security aspects of the communication between SNMP entities. It provides strong authentication, encryption data packets that enhances privacy.

Configure SNMP version 3 on Debian 9

The default SNMP daemon configuration file is /etc/snmp/snmpd.conf. I would recommend that you make a backup of this configuration file before you can proceed to make adjustments to it.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.original

Define the interface IP address from which the server can be reached from remotely. Remember that ny default, SNMP daemon listens in the loopback interface.

vim /etc/snmp/snmpd.conf


...
#  AGENT BEHAVIOUR
#

#  Listen for connections from the local system only
agentAddress  udp:127.0.0.1:161,udp:192.168.43.188:161
...

To configure SNMP version 3 on Debian 9, you need to;

Create a username for authentication

Set the authentication password
Set the encryption password
Define the access permissions

Define the encryption algorithm

The requirements can be achieved by the use of the net-snmp-create-v3-user command line tool. The syntax of this command is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

Before you can set these requirements, stop the SNMP deamon service.

systemctl stop snmpd

Next, create the username with the above requirements. Note that to enhance security, ensure that you use different passwords for authentication and encryption. The default authentication method used is MD5.

net-snmp-create-v3-user -ro -A SecUREDpass -a SHA -X StRongPASS -x AES snmpreadonly

adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpreadonly SHA "SecUREDpass" AES StRongPASS
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser snmpreadonly

To interactively run the net-snmp-create-v3-user, you would simply run it as;

net-snmp-create-v3-user -x AES -a SHA

Start SNMP daemon and enable it to run on system reboot

systemctl start snmpd
systemctl enable snmpd

Configure firewalling accordingly to ensure that connection to UDP port on the server can be reached from the monitoring host.

You can now verify that all is well. To perform the local verification, run the command below;

snmpwalk -v3 -a SHA -A SecUREDpass -x AES -X StRongPASS -l authPriv -u snmpreadonly localhost | head -10


iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (6984) 0:01:09.84
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1

To perform the verification of the same from the remote monitoring host, run the command below;

snmpwalk -v3 -a SHA -A hacker100 -x AES -X hacker101 -l authPriv -u snmpreadonly 192.168.43.188 | head -10


iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (1436) 0:00:14.36
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1

Well, you nailed it. If you are using Nagios SNMP monitoring plugins, check_snmp, check our guide previous on how to poll the requiests with SNMP version 3 by following the link below.

Nagios SNMP Monitoring of Linux Hosts

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

koromicha

I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Related Posts

Install and Setup Nagios on Ubuntu 22.04

Install WPS Office on Ubuntu 20.04/Debian 11

Install Grafana Plugins Behind a Proxy server

Upgrade Existing OCS NG Server Installation on CentOS

Connect to Cisco VPN Using PCF file on Ubuntu

Install and Configure AIDE on Ubuntu 20.04

Leave a Comment Cancel reply