With Version 3 of the SNMP Protocol Security comes to SNMP which makes a lot of things smarter but also a bit more complicate to configure. That is why I would like to give a small introduction How-To setup SNMP v3 within this blog article for all Debian and Ubuntu Linux Environments.

Installing SNMP (daemon and agent)

First at all we need to installing SNMP (daemon and agent) packages on the server:

apt-get install snmp snmpd

After the successful installation we could start to define SNMPv3 users, authentication and encryption parameters.

The following NEW security levels could be used with SNMPv3:

  1. noAuthNoPriv – No authorisation and no encryption
  2. authNoPriv – Authorisation is required but collected data sent over the network is not encrypted.
  3. authPriv – Authorisation required and everything sent over the network is encrypted.

Let’s start with the configuration:

Open the file /etc/snmp/snmpd.conf with an editor of your choice.  Be aware of that you have customize your usernames and passwords within the sample lines below.  Make also sure that the password and encryption phrases sets a minimum length of at least 8 characters long safe.

######################################
#  Users / Security configuration
######################################
createUser authOnlyUser  MD5 "secretPassword-1"
createUser authPrivUser  SHA "secretPassword-2"  DES
createUser internalUser  MD5 "secretPassword-3"

To grant the specified users permissions also ensure that the following roles has been set and enabled within the configuration.

###################################################################
#
#  ACCESS CONTROL
#
rouser   authOnlyUser #  Full read-only access for SNMPv3
rwuser   authPrivUser   priv   #  Full write access for encrypted requests
#  Remember to activate the 'createUser' lines above

Change the agent address

The SNMP daemon is only accessible locally by default, so it would be necessary to make the snmpd daemon accessible from outside (if required).

Search for the “AGENT BEHAVIOUR” section within the configuration file and change it according to the sample below, after that save the file and restart the service with “/etc/init.d/snmpd restart”.

#  AGENT BEHAVIOUR
#
#  Listen for connections from the local system only
# agentAddress  udp:127.0.0.1:161
#  Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161

Testing of SNMP configuration

After the restart we should be able to connect form outside and test the SNMP configuration with snmpget.

snmpget -v 3 -u authOnlyUser -l authNoPriv -a MD5 -A secretPassword-1 YourHost.com 1.3.6.1.2.1.1.1.0
# Result: iso.3.6.1.2.1.1.1.0 = STRING: "Linux vs003 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) x86_64"

snmpget -v 3 -u authPrivUser -l authPriv -a SHA -x DES -A secretPassword-2 -X secretPassword-2 YourHost.com 1.3.6.1.2.1.1.1.0
# Result: iso.3.6.1.2.1.1.1.0 = STRING: "Linux vs003 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) x86_64"

Secure SNMP Ports with iptables

Finally, we could ensure that no one except us can access SNMP form outside. The simplest way to achieve this is to add some firewall rules with iptables.

To ensure the iptable configuration will be loaded automatically install the following package in addition:
apt-get install iptables-persistent

This ensures that the iptable rules are automatically loaded after a reboot of the system, the rules will be loaded from a persistent stored file. To trigger an update of the currently used iptables of the system run one of the following commands:

  1. iptables-save > /etc/iptables/rules.v4
  2. ip6tables-save > /etc/iptables/rules.v6

Now we could add 4 new iptables entries to allow only access from our external system and block all other ones. Do not forget to replace 11.11.11.11 with your ip address or range.

iptables -A INPUT -s 11.11.11.11 -p udp -m udp --dport 161 -j ACCEPT
iptables -A INPUT -s 11.11.11.11 -p udp -m udp --dport 162 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 161 -j DROP
iptables -A INPUT -p udp -m udp --dport 162 -j DROP

That’s it have fun with using SNMPv3