Configure SNMPv3 on CentOS

Assume you are an administrator in a complex network environment. You will find that it is almost impossible to monitor all of the network devices. SNMP addressed this issue. You will get a notification when anything goes wrong with your network devices. However, another challenge is the security of SNMP. SNMP v1 & SNMP v2 only support plain text communication. There were no concepts of encryption and authentication in SNMPv1 and SNMPv2. But, to meet compliance,  SNMP communication must be encrypted. SNMPv3 allows to use the encryption and authentication. In this tutorial, we will configure SNMPv3 on CentOS. Let’s get started!

configure-snmp-v3-on-centos

Configure SNMPv3 on CentOS

Let’s start our configuration by setting up SNMP on the CentOS 7. First, execute the below command to install the SNMP packages:

[root@firewallbuddy ~]# yum -y install net-snmp net-snmp-utils

This command will install the essential packages for different SNMP versions. Further, verify the installation status of SNMPv3 packages on CentOS by hitting the below command:

[root@firewallbuddy ~]# rpm -q net-snmp net-snmp-utils
net-snmp-5.7.2-49.el7_9.3.x86_64
net-snmp-utils-5.7.2-49.el7_9.3.x86_64

Both net-snmp and net-snmp-utils packages are installed into the system.

Creating an SNMPv3 user

First, we will create a user to use the SNMPv3, and we can create it via multiple methods. However, the snmpd process must be stopped before creating the user’s. Execute the below command and check the snmpd status:

[root@firewallbuddy ~]# service snmpd status
Redirecting to /bin/systemctl status snmpd.service
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

In our case, the snmpd service is down. If it is running, you can stop it by executing the below command:

[root@firewallbuddy ~]# service snmpd stop
Redirecting to /bin/systemctl stop snmpd.service

Now, Let’s discuss all of these methods one by one.

Method 1: Interactive mode using net-snmp-create-v3-user utility

You can use the net-snmp-create-v3-user utility to create an SNMPv3 user interactively. By default, the authentication method is MD5, and encryption is DES. To create a user, type net-snmp-create-v3-user and hit enter:

[root@firewallbuddy ~]# net-snmp-create-v3-user
Enter a SNMPv3 user name to create:
firewallbuddy
Enter authentication pass-phrase:
firewallbuddy1
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]
firewallbuddy1
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser firewallbuddy MD5 "firewallbuddy1" DES firewallbuddy1
adding the following line to /etc/snmp/snmpd.conf:
   rwuser firewallbuddy

As you can see, the user firewallbuddy is successfully created with authentication and encryption pass-phrase.

Method 2: CLI mode using net-snmp-create-v3-user utility

Here, we will define an SNMP v3 user using the net-snmp-create-v3-user with additional arguments. You can type the below command to see the usage of net-snmp-create-v3-user:

[root@firewallbuddy ~]# net-snmp-create-v3-user --help

Usage:
  net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass]
                          [-a MD5|SHA] [-x DES|AES] [username]

As you can see, you can explicitly define the encryption and authentication methods.

This time, we will use the SHA and AES for the SNMPv3 users. Use the below command to create an SNMPv3 user with different arguments:

net-snmp-create-v3-user -A firewallbuddy1cli -X firewallbuddy1cli -a SHA -x AES firewallbuddy_cli

Refer to the below output, the user firewallbuddy_cli with encryption and authentication password firewallbuddy1cli created.

[root@firewallbuddy ~]# net-snmp-create-v3-user -A firewallbuddy1cli -X firewallbuddy1cli -a SHA -x AES firewallbuddy_cli
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser firewallbuddy_cli SHA "firewallbuddy1cli" AES firewallbuddy1cli
adding the following line to /etc/snmp/snmpd.conf:
   rwuser firewallbuddy_cli

Method 3: Manually by editing the /var/lib/net-snmp/snmpd.conf file

Finally, we will modify the /var/lib/net-snmp/snmpd.conf file to create an SNMPv3 user. Edit the file using the Linux vi editor, and type the user detail at the bottom of the file:

vi /var/lib/net-snmp/snmpd.conf
createUser firewallbuddy MD5 "firewallbuddy1" DES firewallbuddy1
createUser firewallbuddy_cli SHA "firewallbuddy1cli" AES firewallbuddy1cli
createUser firewallbuddy_file MD5 "firewallbuddy2" DES firewallbuddy2

Save the file and exit from the vi editor. Refer to the output, the user firewallbuddy_file with encryption and authentication password firewallbuddy2 created.

Managing the SNMP/SNMPv3 services on CentOS

Earlier, we created the SNMPv3 user. Now, we will start the SNMP services on our CentOS. You can use the systemctl utility to manage the SNMP services.

Hit the below command to start the SNMP service:

service snmpd start

The below output indicates that the SNMP service is successfully started.

[root@firewallbuddy ~]# service snmpd start
Redirecting to /bin/systemctl start snmpd.service

To check the status of the SNMP service, hit the below command:

service snmpd status

Now, you will find the SNMP-related information, including the version, on your CLI session:

[root@firewallbuddy ~]# service snmpd status
Redirecting to /bin/systemctl status snmpd.service
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-12-29 08:42:06 EST; 1min 26s ago
 Main PID: 12780 (snmpd)
   CGroup: /system.slice/snmpd.service
           └─12780 /usr/sbin/snmpd -LS0-6d -f

Dec 29 08:42:06 firewallbuddy systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Dec 29 08:42:06 firewallbuddy snmpd[12780]: NET-SNMP version 5.7.2
Dec 29 08:42:06 firewallbuddy systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..

Similarly, if you want to stop the snmp services, hit the below command:

service snmpd stop

To ensure the SNMP services start with the system starts, enable the snmpd on system startup:

systemctl enable snmpd

Testing the SNMPv3 using snmpwalk on CentOS

In this section, we will test the SNMPv3 services using snmpwalk. snmpwalk utility helps to retrieve the information from the SNMP server based on different OIDs.

We will use the below syntax to test the SNMPv3 configuration.

snmpwalk -v 3 -u USERNAME -X ENCRYPTION_PASSWORD -A AUTH_PASSWORD -c public -l AuthPriv localhost sysUptime

We will replace the USERNAME, ENCRYPTION_PASSWORD, and AUTH_PASSWORD with the earlier created one.

[root@firewallbuddy ~]# snmpwalk -v 3 -u firewallbuddy -X firewallbuddy1 -A firewallbuddy1 -c public -l AuthPriv localhost sysUptime
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (76538) 0:12:45.38

This proves that the SNMP is working on our Cent OS. Further, let’s use the snmpwalk utility with additional arguments:

[root@firewallbuddy ~]# snmpwalk -v 3 -u firewallbuddy_cli -x AES -X firewallbuddy1cli -a SHA -A firewallbuddy1cli -c public -l AuthPriv localhost sysUptime
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (128126) 0:21:21.26

You can use the additional OIDs to retrieve the information from your Cent OS.

Network Configuration for SNMP on CentOS

SNMP communication uses UDP port 161 between client and server. Ensure you have allowed the UDP/161 port between SNMP Client and Server.

In addition, allow the UDP/161 on iptables of your CentOS. You can use the below commands to allow the snmp traffic:

iptables -I INPUT 1 -p udp --dport 161 -j ACCEPT
service iptables save

Further Reading

Conclusion

SNMPv3 allows us to retrieve the CentOS Server information in an encrypted way. We can define the SNMPv3 users in multiple methods. We have configured and tested the SNMPv3 configuration using the snmpwalk utility.

Did you find this article helpful? Please comment in the comment box for the issues related to the SNMP setup.

Leave a Reply

Your email address will not be published. Required fields are marked *