Install and Configure SNMP on Debian 10 Buster

0
2012

This guide will take you through how to install and configure SNMP on Debian 10 Buster for monitoring using either SNMP v2c or v3. If you are looking at monitoring your Debian 10 system with monitoring tools like Nagios, Icinga or any other tools for health information, system metrics such as CPU load, Physical Memory usage, number of running processes, service state or any other services that support polling over the SNMP protocol, then you need to install SNMP and configure it as follows.

Install and Configure SNMP on Debian 10 Buster

Install SNMP on Debian 10 Buster

Run the command below to install SNMP daemon, SNMP client and the SNMP development files.

apt install snmpd snmp libsnmp-dev

Configuring SNMP on Debian 10 Buster

Once the installation is done, proceed to configure SNMP on Debian 10 Buster.

The default configuration file for SNMP agent is /etc/snmp/snmpd.conf. SNMP agent can run with the default configuration settings. However, we are going to make a few changes to enable remote monitoring. As such create a backup of the configuration file as shown below;

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

Define SNMP agent (snmpd) Listening Address

SNMP agent listens on a loopback interface on UDP port 161 by default. To enable remote monitoring, you need to define a non-loopback interface IP address. The listening interface is defined by agentAddress directive.

vim /etc/snmp/snmpd.conf
###############################################################################
#
#  AGENT BEHAVIOUR
#

#  Listen for connections from the local system only
agentAddress  udp:127.0.0.1:161,udp:192.168.43.62:161

Configuring SNMP v2c Authentication

SNMP v2 provides access using a community string and the source IP Address, where the source IP address is the IP address of the monitoring server. The traditional access control for SNMP v2c can be defined using the directive;

directive community [source [OID]]

The directive can be rocommunity (provides read-only access to a specific OID) or rwcommunity(provides read-write access to a specific OID), OID is the optional SNMP tree to provide access to. Under the Access Control section, place the line, rocommunity S3CUrE 192.168.43.100. You can also enable query from localhost; rocommunity S3CUrE localhost.

...
 rouser   authOnlyUser
                                                 #  Full write access for encrypted requests
                                                 #     Remember to activate the 'createUser' lines above
#rwuser   authPrivUser   priv

#  It's no longer typically necessary to use the full 'com2sec/group/access' configuration
#  r[ow]user and r[ow]community, together with suitable views, should cover most requirements

# Allow read-only Access to full OID tree from the localhost and 192.168.43.100 using the string S3CUrE
rocommunity S3CUrE localhost
rocommunity S3CUrE 192.168.43.100

###############################################################################

For a simple SNMP v2c configuration, that is just it. Restart SNMPd to effect the changes.

systemctl restart snmpd

Set SNMPd to run on system boot.

systemctl enable snmpd

Verify that SNMPd is listening on an interface IP defined above.

netstat -nlpu|grep 161
udp        0      0 192.168.43.62:161       0.0.0.0:*                           26491/snmpd         
udp        0      0 127.0.0.1:161           0.0.0.0:*                           26491/snmpd

If firewall is running, allow connection from the monitoring server.

ufw allow from 192.168.43.100 to any port 161 proto udp

On the localhost, you can test if your MIBs are working by running the command below;

snmpwalk -v2c -c S3CUrE localhost | head -5
iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (10311) 0:01:43.11
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian10"

You should also be able to query the MIBs from the remote monitoring server. Ensure that UDP port is allowed on a firewall if there is any running on your system.

Configuring SNMP v3 on Debian 10

There are different security models which SNMP v3 can use. However, we are going to use the User-based Security Model in this guide. This approach will involve the use SNMPv3-specific users, withs specific permission, security level, authentication and privacy passphrases to allow access to the OID tree.

Therefore, you need to create user for authenticating using net-snmp-create-v3-user. When created, the user is added to the configuration files; /etc/snmp/snmpd.confand /var/lib/net-snmp/snmpd.conf.

Make a copy of the original configuration file just like we did above.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Create a read-only SNMP v3 authentication user. The command syntax is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

Before you can use the net-snmp-create-v3-user command, you need to stop snmpd.

systemctl stop snmpd

Create the read only user.

net-snmp-create-v3-user -ro -A [email protected] -a SHA -X [email protected] -x AES snmpro
adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpro SHA "[email protected]" AES [email protected]
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser snmpro

Start SNMP daemon and configure inbound Firewall rules to UDP port 161 if UFW is running just like we did above.

systemctl start snmpd

Verify SNMP v3

To test if MIBs are working properly on the locahost via SNMP v3, runt the command below specifying the user created above as shown below;

snmpwalk -v3 -a SHA -A [email protected] -x AES -X [email protected] -l authPriv -u snmpro localhost | head -5
iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (219) 0:00:02.19
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "debian10"

Well, there you go, If you need to run the tests from remote server, you need to open port 161/UDP on your system.

That is just a simple guide on how to install and configure SNMP on Debian 10 Buster.

You can read more about SNMPd configuration on SNMPD man page.

Related Guides;

Install and Configure SNMP on Ubuntu 18.04 and CentOS 7

Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM

How to Configure SNMP version 3 on Debian 9

How to Configure SNMP Version 2c on Debian 9

LEAVE A REPLY

Please enter your comment!
Please enter your name here