Install and Configure SNMP on Ubuntu 18.04 and CentOS 7

0
19390

In this guide, we are going to learn how to install and configure SNMP on Ubuntu 18.04 and CentOS 7. SNMP is an acronym for Simple Network Management Protocol. It provides an agentless method of managing and monitoring of network devices and servers for health information, system metrics such as CPU load, Physical Memory usage, number of running processes, service state e.t.c that support polling over the SNMP protocol.. With this method, you don’t need to install the usual Nagios NRPE agent on your hosts.

Installing SNMP

Prerequisites

Before you can monitor Linux hosts with Nagios using SNMP, you first need to install the necessary packages. The SNMP packages are available on default repositories.

Install SNMP on Ubuntu 18.04 and CentOS 7

Run the commands below to install the SNMP packages;
On CentOS 7

yum update
yum install net-snmp net-snmp-utils

On Ubuntu 18.04

apt update
apt install snmpd snmp libsnmp-dev

Configure SNMP on Ubuntu 18.04 and CentOS 7

Once the installation is done, proceed to configure SNMP as follows. The default configuration file for SNMP is /etc/snmp/snmpd.conf. The file is higly commented and thus, we will only make a few changes. As a result, make a copy of the original file before you can proceed.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Configuring Authentication

SNMP supports three versions of SNMP protocol; version 1, 2c and 3. Both version 1 and 2c provides authentication using community string, a shared secret between the agent and the client that is passed in clear text over the network while version 3 supports user authentication and message encryption using a variety of protocols and is thus a bit more secure.

Configuring SNMP Version 2c Community

As stated above, SNMP v2 provides access using a permission directive, a community string and the source Address. The source address can be IP of the Nagios Server (SNMP server). This directive should be set in the format;

directive community [source [OID]]

where directive can be rocommunity (provides read-only access) or rwcommunity (provides read-write access), OID is the optional SNMP tree to provide access to. To configure SNMP v2c;

On Ubuntu 18.04 proceed as follows;

Edit the snmpd configuration file and configure it to listen on both a localhost and an interface IP. By default, SNMP agent on is set to allow connections originating from the localhost only. agentAddress udp:127.0.0.1:161,udp:192.168.43.154:161.

Also, configure it to allow the monitoring server (Nagios server in my case, with IP, 192.168.43.101) only to connect using the community string ([email protected]).

vim /etc/snmp/snmpd.conf
...
#  AGENT BEHAVIOUR
#

#  Listen for connections from the local system only
agentAddress udp:127.0.0.1:161,udp:192.168.43.154:161
#  Listen for connections on all interfaces (both IPv4 *and* IPv6)
#agentAddress udp:161,udp6:[::1]:161
...
###############################################################################
#
#  ACCESS CONTROL
#
...
rocommunity [email protected] 192.168.43.101

###############################################################################
#
# SYSTEM INFORMATION

Note that for any changes to the configuration file to take effect, force the snmpd service to re-read the configuration by running the following command:

systemctl reload snmpd

If you can check, SNMP is now listening on two interfaces;

netstat -nlpu|grep snmp
udp    16128      0 192.168.43.154:161      0.0.0.0:*                           10057/snmpd         
udp     3072      0 127.0.0.1:161           0.0.0.0:*                           10057/snmpd

If firewall is running, allow connection from the Nagios server.

ufw allow from 192.168.43.101 to any port 161 proto udp
ufw reload

Next, run the command below from the Nagios Server to verify access to the host;

snmpwalk -v2c -c [email protected] 192.168.43.154
iso.3.6.1.2.1.1.1.0 = STRING: "Linux u18svr 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (1082) 0:00:10.82
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "ubuntu18svr"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1

On CentOS 7, proceed as follows;

Set the community string and allow access from the Nagios server.

echo -e "# SNMP version 2c community\nrocommunity [email protected] 192.168.43.101" >> /etc/snmp/snmpd.conf

Configure snmpd to listens for incoming SNMP requests on UDP port 161 on loopback and other interfaces. This involves modifying snmpd start up script. Run the command below to effect this change. You first need to backup the original service config.

cp /lib/systemd/system/snmpd.service /lib/systemd/system/snmpd.service.bak

Edit the snmpd service configuration file and replace the line ExecStart=/usr/sbin/snmpd $OPTIONS -f with;  ExecStart=/usr/sbin/snmpd $OPTIONS -f udp:127.0.0.1:161 udp:192.168.43.23.161 such that you configuration looks like;

[Unit]
Description=Simple Network Management Protocol (SNMP) Daemon.
After=syslog.target network.target

[Service]
Type=notify
Environment=OPTIONS="-LS0-6d"
EnvironmentFile=-/etc/sysconfig/snmpd
ExecStart=/usr/sbin/snmpd $OPTIONS -f udp:127.0.0.1:161 udp:192.168.43.23:161
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Reload the system units and restart snmpd service;

systemctl daemon-reload
systemctl restart snmpd

Verify that both interfaces are listening;

ss -nlpu|grep snmp
UNCONN     0     0     192.168.43.23:161              *:*                   users:(("snmpd",pid=4931,fd=7))
UNCONN     0     0     127.0.0.1:161              *:*                   users:(("snmpd",pid=4931,fd=6))

If firewalld is running, create a new zone and allow access to snmp agent only from the Nagios server;

firewall-cmd --new-zone=snmp --permanent
firewall-cmd --zone=snmp --add-interface=eth1 --permanent
firewall-cmd --zone=snmp --add-source=192.168.43.101 --permanent
firewall-cmd --zone=snmp --add-port=161/udp --permanent
firewall-cmd --reload

Verify active zones;

firewall-cmd --get-active-zones
snmp
  sources: 192.168.43.101
public
  interfaces: eth0 eth1

However, you can simply run the commands below open snmpd port

firewall-cmd --add-port=161/udp --permanent
firewall-cmd --reload

Test connectivity from the Nagios server;

snmpwalk -v2c -c [email protected] 192.168.43.23
iso.3.6.1.2.1.1.1.0 = STRING: "Linux Cent7.example.com 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (191101) 0:31:51.01
iso.3.6.1.2.1.1.4.0 = STRING: "Root <[email protected]> (configure /etc/snmp/snmp.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "Cent7.example.com"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (edit /etc/snmp/snmpd.conf)"
iso.3.6.1.2.1.1.8.0 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1

Configuring SNMP Version 3

SNMP v3 uses a username, permission, security level, authentication and privacy passphrases to allow access. As a result, you need to create user for authenticating. When created, the user is added to the following configuration files; /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf. Before you can proceed, make a copy of the original configuration file just like we did above.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Stop SNMP daemon

systemctl stop snmpd

Create a read-only authentication user using the net-snmp-create-v3-user command. The command syntax is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

net-snmp-create-v3-user -ro -A [email protected] -a SHA -X [email protected] -x AES snmpadmin
adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpadmin SHA "[email protected]" AES [email protected]
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser snmpadmin

Start SNMP daemon and configure inbound Firewall rules to UDP port 161 as we did above.

systemctl start snmpd

Enable SNMP daemon to run on system reboot.

systemctl enable snmpd

Test to verify that everything is working as expected.

snmpwalk -v3 -a SHA -A [email protected] -x AES -X [email protected] -l authPriv -u snmpadmin localhost | head

CentOS 7:

SNMPv2-MIB::sysDescr.0 = STRING: Linux Cent7.example.com 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2095) 0:00:20.95
SNMPv2-MIB::sysContact.0 = STRING: Root <[email protected]> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: Cent7.example.com
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance

Ubuntu 18.04:

iso.3.6.1.2.1.1.1.0 = STRING: "Linux u18svr 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (59297) 0:09:52.97
iso.3.6.1.2.1.1.4.0 = STRING: "Me <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "u18svr"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1

From a remote host;

snmpwalk -v3 -a SHA -A [email protected] -x AES -X [email protected] -l authPriv -u snmpadmin 192.168.43.23 | head
iso.3.6.1.2.1.1.1.0 = STRING: "Linux Cent7.example.com 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (15002) 0:02:30.02
iso.3.6.1.2.1.1.4.0 = STRING: "Root <[email protected]> (configure /etc/snmp/snmp.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "Cent7.example.com"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (edit /etc/snmp/snmpd.conf)"
iso.3.6.1.2.1.1.8.0 = Timeticks: (6) 0:00:00.06
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
snmpwalk -v3 -a SHA -A [email protected] -x AES -X [email protected] -l authPriv -u snmpadmin 192.168.43.154 | head
SNMPv2-MIB::sysDescr.0 = STRING: Linux u18svr 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (114664) 0:19:06.64
SNMPv2-MIB::sysContact.0 = STRING: Me <[email protected]>
SNMPv2-MIB::sysName.0 = STRING: u18svr
SNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance

Great!! You have successfully installed and configured SNMP on Ubuntu 18.04 and CentOS 7. Your server is now ready for Nagios SNMP monitoring from your Nagios server or any other monitoring tool. You can also check our aritcle on Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM.

Related Tutorials:

Monitor Linux System Metrics with Prometheus Node Exporter

Monitor Squid logs with Grafana and Graylog

Monitor Squid Access Logs with Graylog Server

How to Install Nagios Plugins and NRPE agents on CentOS 7/RHEL 7/Fedora 29

Monitor Linux Hosts using Nagios check_by_ssh Plugin

How to Install Nagios Plugins From Source RHEL/CentOS/Oracle Linux

Install and Setup TIG Stack on Fedora 30