SNMP

27 Mar 2022

In this article we will explore Simple Network Management, SNMP and how to implement version 1, 2c and 3 using a Linux server.

What is SNMP

SNMP stands for Simple Network Management Protocol, it is a protocol for collecting and organising information about managed devices.

SNMP is widely used for network monitoring and exposes management data in the form of variables. The variables are organised in hierarchies known as Management Information Base (MIB). MIBs describe the structure of the management data of a device, contained within these structures are Object Identifiers (OID). Each OID identifies a variable that can be read or set via SNMP.

SNMP operates in the application layer (layer 7) and all messages are transported via UDP (default value). Agents receive requests on port 161 and managers are sent traps on port 162.

In a managed network there are three key components:

  1. Managed Device
  2. Agent - Management Agent (MA), runs on the managed device.
  3. Manager - Network Management Station (NMS)

Information can be received in two ways, the first is polling and the second are known as traps.

  1. Polling - Information is requested by the manager from the agent, this occurs on a regular basis.
  2. Trap - Information to sent from the agent to the manager. Traps unrequested data that are sent when triggered by an event.

Versions

There are three versions of SNMP, they are;

  • Version 1 - Initial implementation with trivial authentication and community name is transmitted in clear text.
  • Version 2c - Version 2 was a revision of version 1 which contained improvements in the areas of performance, security and manager-to-manager communications, this version was deemed obsolete by version 2c.
    • SNMPv2c - Community-Based SNMP version 2
    • SNMPv2u - User-Based SNMP version 2 - Adopted into Version 3
  • Version 3 - no changes to the protocol aside from the addition of cryptographic security. Version 3 support User-based Security Model (USM) and tunnelling over SSH

SNMP Agent - Linux Debian Family

Install the SNMP daemon package.

sudo apt install -y snmpd

SNMP version 1 and 2c

Now we will edit SNMPs configuration file to configure a few aspects

sudo nano /etc/snmp/snmpd.conf

Listen Address

The listen address, listed as agentaddress defines the IP address (interface), protocol and port used by agent.

The below will configure the server to listen on all IPv4 and IPv6 addresses

agentaddress udp:161,udp6:[::1]:161

The entry below will listen on a specific IPv4 address

agentaddress udp:192.168.1.10:163

Community String

Configure the SNMPv1 and v2c read-only community string for IPv4 and IPv6, it is good practice to change “public” to your preferred community string.

This will expose all management data.

rocommunity public default
rocommunity6 public default

To set a read-write community we would use rwcommunity, although this is not recommended to enable.

Limiting and Views

We can limit SNMP by using the hostname or network and limit to specific OIDs or use View.

rocommunity communityName [default|hostname|network/bits] [oid | -V view]

If we wanted to limit to a specific host, for example a NMS on 192.168.1.2.

rocommunity communityName 192.168.1.2

or a network

rocommunity communityName 192.168.1.0/24

If we wanted to limit to a specific OID.

rocommunity communityName default .1.3.6.1.2.1.1.5.0

Views are created within the snmpd.conf file, below is an example.

OIDs can be included or excluded.

#  system + hrSystem groups only
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
view   systemonly  excluded   .1.3.6.1.2.1.1.5.0

The example below, provides everyone access to the “systemonly” views, only one view should be declared.

rocommunity public default -V systemonly

Now restart the daemon

sudo systemctl restart snmpd

SNMP Walk v1 and v2c

SNMPWalk is an application that uses SNMP GETNEXT requests to query a network entity for a tree of information. It can be used on another system (SNMP Manager) to query the server (SNMP Agent).

A simple use case is to test our SNMP agents.

snmpwalk -v 2c -c communityName 192.168.1.90

SNMP version 3

“SNMPv3 was originally defined using the User-Based Security Model (USM), which contains a private list of users and keys specific to the SNMPv3 protocol. The operational community, however, declared it a pain to manipulate yet another database and was decided to tunnel SNMP over SSH and DTLS to make use of existing user and authentication infrastructures.” - snmpd.conf man page

SNMPv3 USM

There are a few things to note with SNMPv3 they are:

  • The EngineID uniquely identifies an SNMP entity, this will be randomly generated if not provided
  • MD5 and SHA are the authentication types, while DES and AES are the privacy (encryption) protocols.
  • The minimum pass phrase length is 8 characters.

The preferred option is to use the SNMP create tool, which is below

Now we can create a user, below is the manual page command

createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]

This command would be written into /var/lib/snmp/snmpd.conf

createUser -e DeviceID Username SHA-512 UserPassword AES EncryptionPassword

And we would need to place into our /etc/snmp/snmpd.conf file.

rouser snmpuser authPriv

Finally restart the snmpd daemon

sudo systemctl restart snmpd

Using the SNMP create tool

Instead of figuring out how to use this directive and where to put it, just use the net-snmp-create-v3-user tool instead, which will add these lines to the right place.

First stop the snmpd daemon

sudo systemctl snmpd stop

net-snmp-create-v3-user -ro -A UserPassword -a SHA -X EncryptionPassword -x AES Username

Issue - No such file or directory

root@server:/etc/snmp# net-snmp-create-v3-user -ro -A UserPassword -a SHA-512 -x EncryptionPassword -X AES Username

adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpuser SHA "UserPassword" AES "EncryptionPassword"
   
adding the following line to /snmp/snmpd.conf:
   rouser snmpuser
   
touch: cannot touch '/snmp/snmpd.conf': No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: cannot create /snmp/snmpd.conf: Directory nonexistent

This is a known issue, a workaround is to create the requested directory, re-run the command then move the created content over.

mkdir /snmp

Or manually add the content

sudo nano /etc/snmp/snmpd.conf

Scroll down to the bottom and add

rouser snmpuser authPriv

Lastly restart SNMP

sudo systemctl start snmpd

SNMP Walk v3

To test SNMPv3 using snmpwalk we need a different set of switches, below is an example.

Its important that everything is present within the command, otherwise results will not be returned, instead you may get errors or host timed out.

snmpwalk -v3 -u Username -A UserPassword -a SHA-512 -l authPriv -x AES -X EncryptionPassword 192.168.1.x
Back to Top