Install and Configure SNMP on Ubuntu 20.04

nitirat

Install and Configure SNMP on Ubuntu 20.04

The SNMP packages are available on default Ubuntu 20.04 repositories.

first update your package cache;

apt update

Once the update is done, install SNMP on Ubuntu 20.04.

apt install snmpd snmp libsnmp-dev

Configure SNMP on Ubuntu 20.04

Once the installation is done, proceed to configure SNMP as follows.

The default configuration file for SNMP is /etc/snmp/snmpd.conf.

Configuring SNMP Authentication on Ubuntu 20.04

SNMP supports three versions of SNMP protocol;

  • SNMP v1
  • SNMP v2c
  • SNMP v3

Both SNMP version 1 and 2c provides authentication using community string, which is a shared secret between the agent and the client that is passed in clear text over the network

SNMP version 3 supports user authentication and message encryption using a variety of protocols and is thus a bit more secure.

Configuring SNMP Version 2c Community on Ubuntu 20.04

As stated above, SNMP v2 provides access using a permission directive, a community string and the source Address. The source address can be IP of the monitoring server such as Nagios Server (SNMP server) or Cacti for example. This directive should be set in the format;

directive community [source [OID]]

Where

  • directive can be rocommunity (provides read-only access) or rwcommunity (provides read-write access)
  • source can be IP of the monitoring server such as Nagios Server (SNMP server) or Cacti for example
  • OID is the optional SNMP tree to provide access to. To configure SNMP v2c

Therefore, edit the snmpd configuration file and configure it to listen on both localhost and an interface IP. By default, the SNMP agent is set to allow connections originating from the localhost only. 

vim /etc/snmp/snmpd.conf
...
###########################################################################
# SECTION: Agent Operating Mode
#
#   This section defines how the agent will operate when it
#   is running.
...
#agentaddress  127.0.0.1,[::1]
agentAddress udp:127.0.0.1:161,udp:192.168.58.18:161

Also, configure it to allow the monitoring server (Cacti server in my case, with IP, 192.168.58.3) only to connect using the community string (Ex@mPL3).

...
#
SECTION: Access Control Setup
#
This section defines who is allowed to talk to your running
snmp agent.
...
rocommunity Ex@mPL3 192.168.58.3

Save and exit the configuration file.

Note that for any changes to the configuration file to take effect, force the snmpd service to re-read the configuration by running the following command:

systemctl restart snmpd

If you can check, SNMP is now listening on two interfaces;

netstat -nlpu|grep snmp
udp        0      0 192.168.58.18:161       0.0.0.0:*                           36473/snmpd         
udp        0      0 127.0.0.1:161           0.0.0.0:*                           36473/snmpd

If firewall is running, allow connection from the monitoring server.

ufw allow from 192.168.58.3 to any port 161 proto udp

Verify SNMP v2c Connection with Community String

Next, run the command below from the monitoring server to verify access to the host;

snmpwalk -v2c -c Ex@mPL3 192.168.58.18
iso.3.6.1.2.1.1.1.0 = STRING: "Linux ubuntu20.kifarunix-demo.com 5.4.0-51-generic #56-Ubuntu SMP Mon Oct 5 14:28:49 UTC 2020 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (2891) 0:00:28.91
iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>"
iso.3.6.1.2.1.1.5.0 = STRING: "ubuntu20.kifarunix-demo.com"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."

Configure SNMP Version 3 on Ubuntu 20.04

SNMP v3 uses a username, permission, security level, authentication, and privacy passphrases to allow access. As a result, you need to create a user for authenticating. When created, the user is added to the following configuration files; /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf.

Similarly, make a copy of the original configuration file just like we did above.

cp /etc/snmp/snmpd.conf{,.bak}

Stop SNMP daemon

systemctl stop snmpd

Create SNMP v3 Authentication User

Create a read-only authentication user using the net-snmp-create-v3-user command. The command syntax is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpadmin
adding the following line to /var/lib/snmp/snmpd.conf:
   createUser snmpadmin SHA "STrP@SSWRD" AES "STr0ngP@SSWRD"
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser snmpadmin

Start SNMP daemon and configure inbound Firewall rules to UDP port 161 as we did above.

systemctl start snmpd

Enable SNMP daemon to run on system reboot.

systemctl enable snmpd

Verify SNMP v3 Connection

Test to verify that everything is working as expected.

snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin localhost | head
iso.3.6.1.2.1.1.1.0 = STRING: "Linux ubuntu20.kifarunix-demo.com 5.4.0-51-generic #56-Ubuntu SMP Mon Oct 5 14:28:49 UTC 2020 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (6269) 0:01:02.69
iso.3.6.1.2.1.1.4.0 = STRING: "Me me@example.org"
iso.3.6.1.2.1.1.5.0 = STRING: "ubuntu20.kifarunix-demo.com"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1

From a remote host;

snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin 192.168.58.18 | head
iso.3.6.1.2.1.1.1.0 = STRING: "Linux ubuntu20.kifarunix-demo.com 5.4.0-51-generic #56-Ubuntu SMP Mon Oct 5 14:28:49 UTC 2020 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (11693) 0:01:56.93
iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>"
iso.3.6.1.2.1.1.5.0 = STRING: "ubuntu20.kifarunix-demo.com"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1

Related Posts