Install and Configure SNMP on Debian 10 Buster

koromicha
|
Last Updated:
|
Monitoring, HowTos, SNMP
|
1 Comment

This guide will take you through how to install and configure SNMP on Debian 10 Buster for monitoring using either SNMP v2c or v3. If you are looking at monitoring your Debian 10 system with monitoring tools like Nagios, Icinga or any other tools for health information, system metrics such as CPU load, Physical Memory usage, number of running processes, service state or any other services that support polling over the SNMP protocol, then you need to install SNMP and configure it as follows.

Installing SNMP on Debian 10 Buster

Install SNMP on Debian 10 Buster

Run the command below to install SNMP daemon, SNMP client and the SNMP development files.

apt install snmpd snmp libsnmp-dev

Configuring SNMP on Debian 10 Buster

Once the installation is done, proceed to configure SNMP on Debian 10 Buster.

The default configuration file for SNMP agent is /etc/snmp/snmpd.conf. SNMP agent can run with the default configuration settings. However, we are going to make a few changes to enable remote monitoring. As such create a backup of the configuration file as shown below;

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

Define SNMP agent (snmpd) Listening Address

SNMP agent listens on a loopback interface on UDP port 161 by default. To enable remote monitoring, you need to define a non-loopback interface IP address. The listening interface is defined by agentAddress directive.

vim /etc/snmp/snmpd.conf

###############################################################################
#
#  AGENT BEHAVIOUR
#

#  Listen for connections from the local system only
agentAddress  udp:127.0.0.1:161,udp:192.168.43.62:161

Configuring SNMP v2c Authentication

SNMP v2 provides access using a community string and the source IP Address, where the source IP address is the IP address of the monitoring server. The traditional access control for SNMP v2c can be defined using the directive;

directive community [source [OID]]

The directive can be rocommunity (provides read-only access to a specific OID) or rwcommunity(provides read-write access to a specific OID), OID is the optional SNMP tree to provide access to. Under the Access Control section, place the line, rocommunity S3CUrE 192.168.43.100. You can also enable query from localhost; rocommunity S3CUrE localhost.


...
 rouser   authOnlyUser
                                                 #  Full write access for encrypted requests
                                                 #     Remember to activate the 'createUser' lines above
#rwuser   authPrivUser   priv

#  It's no longer typically necessary to use the full 'com2sec/group/access' configuration
#  r[ow]user and r[ow]community, together with suitable views, should cover most requirements

# Allow read-only Access to full OID tree from the localhost and 192.168.43.100 using the string S3CUrE
rocommunity S3CUrE localhost
rocommunity S3CUrE 192.168.43.100

###############################################################################

For a simple SNMP v2c configuration, that is just it. Restart SNMPd to effect the changes.

systemctl restart snmpd

Set SNMPd to run on system boot.

systemctl enable snmpd

Verify that SNMPd is listening on an interface IP defined above.

netstat -nlpu|grep 161
udp        0      0 192.168.43.62:161       0.0.0.0:*                           26491/snmpd         
udp        0      0 127.0.0.1:161           0.0.0.0:*                           26491/snmpd

If firewall is running, allow connection from the monitoring server.

ufw allow from 192.168.43.100 to any port 161 proto udp

On the localhost, you can test if your MIBs are working by running the command below;

snmpwalk -v2c -c S3CUrE localhost | head -5

iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (10311) 0:01:43.11
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian10"

You should also be able to query the MIBs from the remote monitoring server. Ensure that UDP port is allowed on a firewall if there is any running on your system.

Configuring SNMP v3 on Debian 10

There are different security models which SNMP v3 can use. However, we are going to use the User-based Security Model in this guide. This approach will involve the use SNMPv3-specific users, withs specific permission, security level, authentication and privacy passphrases to allow access to the OID tree.

Therefore, you need to create user for authenticating using net-snmp-create-v3-user. When created, the user is added to the configuration files; /etc/snmp/snmpd.confand /var/lib/net-snmp/snmpd.conf.

Make a copy of the original configuration file just like we did above.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Create a read-only SNMP v3 authentication user. The command syntax is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-x privpass][-X DES|AES] [username]

Before you can use the net-snmp-create-v3-user command, you need to stop snmpd.

systemctl stop snmpd

Create the read only user.

net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpro
adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpro SHA "STrP@SSWRD" AES STr0ngP@SSWRD
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser snmpro

Start SNMP daemon and configure inbound Firewall rules to UDP port 161 if UFW is running just like we did above.

systemctl start snmpd

Verify SNMP v3

To test if MIBs are working properly on the locahost via SNMP v3, runt the command below specifying the user created above as shown below;

snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpro localhost | head -5

iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (219) 0:00:02.19
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian10"

Well, there you go, If you need to run the tests from remote server, you need to open port 161/UDP on your system.

You can read more about SNMPd configuration on SNMPD man page.

Related Guides;

Install and Configure SNMP on Ubuntu 18.04 and CentOS 7

Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM

How to Configure SNMP version 3 on Debian 9

How to Configure SNMP Version 2c on Debian 9

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Related Posts

How To Configure Log Rotation with Logrotate on Ubuntu 18.04 LTS

Step-by-Step Guide to Install and Setup OpenVPN Server on Debian 12

Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server

5 Things You Didn’t Know You Can Do with a VPN

What OS you should choose for dedicated server?

How to Install etcdctl on Kubernetes Cluster

1 thought on “Install and Configure SNMP on Debian 10 Buster”

  1. Seems like “-x” and “-X” for net-snmp-create-v3-user should be swapped. From the man page:
    -x privpass
    specify encryption password

    -X DES|AES
    specify encryption algorithm

    Reply

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy