27 Mar 2022
In this article we will explore Simple Network Management, SNMP and how to implement version 1, 2c and 3 using a Linux server.
SNMP stands for Simple Network Management Protocol, it is a protocol for collecting and organising information about managed devices.
SNMP is widely used for network monitoring and exposes management data in the form of variables. The variables are organised in hierarchies known as Management Information Base (MIB). MIBs describe the structure of the management data of a device, contained within these structures are Object Identifiers (OID). Each OID identifies a variable that can be read or set via SNMP.
SNMP operates in the application layer (layer 7) and all messages are transported via UDP (default value). Agents receive requests on port 161 and managers are sent traps on port 162.
In a managed network there are three key components:
Information can be received in two ways, the first is polling and the second are known as traps.
There are three versions of SNMP, they are;
Install the SNMP daemon package.
sudo apt install -y snmpd
Now we will edit SNMPs configuration file to configure a few aspects
sudo nano /etc/snmp/snmpd.conf
The listen address, listed as agentaddress
defines the IP address (interface), protocol and port used by agent.
The below will configure the server to listen on all IPv4 and IPv6 addresses
agentaddress udp:161,udp6:[::1]:161
The entry below will listen on a specific IPv4 address
agentaddress udp:192.168.1.10:163
Configure the SNMPv1 and v2c read-only community string for IPv4 and IPv6, it is good practice to change “public” to your preferred community string.
This will expose all management data.
rocommunity public default
rocommunity6 public default
To set a read-write community we would use rwcommunity
, although this is not recommended to enable.
We can limit SNMP by using the hostname or network and limit to specific OIDs or use View.
rocommunity communityName [default|hostname|network/bits] [oid | -V view]
If we wanted to limit to a specific host, for example a NMS on 192.168.1.2.
rocommunity communityName 192.168.1.2
or a network
rocommunity communityName 192.168.1.0/24
If we wanted to limit to a specific OID.
rocommunity communityName default .1.3.6.1.2.1.1.5.0
Views are created within the snmpd.conf
file, below is an example.
OIDs can be included or excluded.
# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
view systemonly excluded .1.3.6.1.2.1.1.5.0
The example below, provides everyone access to the “systemonly” views, only one view should be declared.
rocommunity public default -V systemonly
Now restart the daemon
sudo systemctl restart snmpd
SNMPWalk is an application that uses SNMP GETNEXT
requests to query a network entity for a tree of information. It can be used on another system (SNMP Manager) to query the server (SNMP Agent).
A simple use case is to test our SNMP agents.
snmpwalk -v 2c -c communityName 192.168.1.90
“SNMPv3 was originally defined using the User-Based Security Model (USM), which contains a private list of users and keys specific to the SNMPv3 protocol. The operational community, however, declared it a pain to manipulate yet another database and was decided to tunnel SNMP over SSH and DTLS to make use of existing user and authentication infrastructures.” - snmpd.conf man page
There are a few things to note with SNMPv3 they are:
The preferred option is to use the SNMP create tool, which is below
Now we can create a user, below is the manual page command
createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]
This command would be written into /var/lib/snmp/snmpd.conf
createUser -e DeviceID Username SHA-512 UserPassword AES EncryptionPassword
And we would need to place into our /etc/snmp/snmpd.conf
file.
rouser snmpuser authPriv
Finally restart the snmpd
daemon
sudo systemctl restart snmpd
Instead of figuring out how to use this directive and where to put it, just use the net-snmp-create-v3-user
tool instead, which will add these lines to the right place.
First stop the snmpd
daemon
sudo systemctl snmpd stop
net-snmp-create-v3-user -ro -A UserPassword -a SHA -X EncryptionPassword -x AES Username
Issue - No such file or directory
root@server:/etc/snmp# net-snmp-create-v3-user -ro -A UserPassword -a SHA-512 -x EncryptionPassword -X AES Username
adding the following line to /var/lib/snmp/snmpd.conf:
createUser snmpuser SHA "UserPassword" AES "EncryptionPassword"
adding the following line to /snmp/snmpd.conf:
rouser snmpuser
touch: cannot touch '/snmp/snmpd.conf': No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: cannot create /snmp/snmpd.conf: Directory nonexistent
This is a known issue, a workaround is to create the requested directory, re-run the command then move the created content over.
mkdir /snmp
Or manually add the content
sudo nano /etc/snmp/snmpd.conf
Scroll down to the bottom and add
rouser snmpuser authPriv
Lastly restart SNMP
sudo systemctl start snmpd
To test SNMPv3 using snmpwalk
we need a different set of switches, below is an example.
Its important that everything is present within the command, otherwise results will not be returned, instead you may get errors or host timed out.
snmpwalk -v3 -u Username -A UserPassword -a SHA-512 -l authPriv -x AES -X EncryptionPassword 192.168.1.x