rss logo

Installing SNMPv3 Agent on Debian Linux

Net-snmp Logo

Recently, I needed to monitor the network interfaces of a Debian machine. The easiest way to achieve this is by utilizing SNMP, as I demonstrated brilliantly here. My objective was to set up an SNMPv3 agent, which is the most secure version of this protocol.

I finally managed to do it with the snmpd package provided by Net-SNMP. And I will show how to do it now!

  • Configuration:
    • OS: debian 12 bookworm
    • snmpd (net-snmp): 5.9.3

Install and configure SNMPD

  • Install the snmpd package and Net-SMTP tools:
root@host:~# apt update && apt install snmpd snmp
  • Check we can do a snmpwalk request:
root@host:~# snmpwalk -OQne -t 10 -v1 -cpublic . . = "Linux debian 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64" . = . . = 0:0:14:54.11 . = "Me <>" . = "debian" […]

Create an SNMP User

To enable SNMPv3, which requires authentication, we need to create a SNMP user. We will use the net-snmp-create-v3-user tool for this purpose. (Note: It appears to be available only on recent Debian releases.)

  • Stop the snmpd service:
root@host:~# systemctl stop snmpd
  • Using the net-snmp-create-v3-user command, create an SNMP user with the following options:
    • -ro: Create a user with read-only permissions
    • -a: Specify the authentication algorithm
    • -x: Specify the encryption algorithm
root@host:~# net-snmp-create-v3-user -ro -a SHA -x AES Enter a SNMPv3 user name to create: snmpuser Enter authentication pass-phrase: SNMPbadPASS Enter encryption pass-phrase: [press return to reuse the authentication pass-phrase] adding the following line to /var/lib/snmp/snmpd.conf: createUser snmpuser SHA "SNMPbadPASS" AES adding the following line to /etc/snmp/snmpd.conf: rouser snmpuser
  • Start the snmpd servce:
root@host:~# systemctl start snmpd
  • Use the snmpwalk command to verify that it's working:
root@host:~# snmpwalk -OQne -v 3 -t 10 -l AuthPriv -u snmpuser -a SHA1 -A SNMPbadPASS -x AES -X SNMPbadPASS -Os

Configure Network Access

At this point, SNMPv3 should be operational, but it will only respond to queries from the local IP address. If you wish to query the SNMP service over the network, you will need to modify the configuration file.

  • Edit the /etc/snmp/snmpd.conf file and modify the agentaddress line to include your listening address, allowing your snmpd service to accept external requests:
  • For security reasons, to enable SNMPv3 exclusively, your /etc/snmp/snmpd.conf file should be configured as follows:
sysLocation area which we call The Twilight Zone sysContact Me <> sysServices 72 master agentx agentaddress,[::1], includeDir /etc/snmp/snmpd.conf.d rouser snmpuser
  • Check with the snmpwalk command:
root@host:~# snmpwalk -OQne -v 3 -t 10 -l AuthPriv -u snmpuser -a SHA1 -A SNMPbadPASS -x AES -X SNMPbadPASS -Os