Recently, I needed to monitor the network interfaces of a Debian machine. The easiest way to achieve this is by utilizing SNMP, as I demonstrated brilliantly here. My objective was to set up an SNMPv3 agent, which is the most secure version of this protocol.
I finally managed to do it with the snmpd package provided by Net-SNMP. And I will show how to do it now!
- Configuration:
- OS: debian 12 bookworm
- snmpd (net-snmp): 5.9.3
Install and configure SNMPD
- Install the snmpd package and Net-SMTP tools:
root@host:~# apt update && apt install snmpd snmp
- Check that we can make a snmpwalk request:
root@host:~# snmpwalk -OQne -t 10 -v1 -cpublic 127.0.0.1 .1.3.6.1.2.1.1
.1.3.6.1.2.1.1.1.0 = "Linux debian 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64"
.1.3.6.1.2.1.1.2.0 = .1.3.6.1.4.1.8072.3.2.10
.1.3.6.1.2.1.1.3.0 = 0:0:14:54.11
.1.3.6.1.2.1.1.4.0 = "Me <me@example.org>"
.1.3.6.1.2.1.1.5.0 = "debian"
[…]
Create an SNMP User
To enable SNMPv3, which requires authentication, we need to create a SNMP user. We will use the net-snmp-create-v3-user tool for this purpose. (Note: It appears to be available only on recent Debian releases.)
- Stop the snmpd service:
root@host:~# systemctl stop snmpd
- Using the net-snmp-create-v3-user command, create an SNMP user with the following options:
- -ro: Create a user with read-only permissions
- -a: Specify the authentication algorithm
- -x: Specify the encryption algorithm
root@host:~# net-snmp-create-v3-user -ro -a SHA -x AES
Enter a SNMPv3 user name to create:
snmpuser
Enter authentication pass-phrase:
SNMPbadPASS
Enter encryption pass-phrase:
[press return to reuse the authentication pass-phrase]
adding the following line to /var/lib/snmp/snmpd.conf:
createUser snmpuser SHA "SNMPbadPASS" AES
adding the following line to /etc/snmp/snmpd.conf:
rouser snmpuser
- Start the snmpd servce:
root@host:~# systemctl start snmpd
- Use the snmpwalk command to verify that it's working:
root@host:~# snmpwalk -OQne -v 3 -t 10 -l AuthPriv -u snmpuser -a SHA1 -A SNMPbadPASS -x AES -X SNMPbadPASS 127.0.0.1 -Os 1.3.6.1.2.1.2.2.1
Configure Network Access
At this point, SNMPv3 should be operational, but it will only respond to queries from the local IP address. If you wish to query the SNMP service over the network, you will need to modify the configuration file.
- Edit the /etc/snmp/snmpd.conf file and modify the agentaddress line to include your listening address, allowing your snmpd service to accept external requests:
agentaddress 127.0.0.1,[::1],192.168.1.10
- For security reasons, to enable SNMPv3 exclusively, your /etc/snmp/snmpd.conf file should be configured as follows:
sysLocation area which we call The Twilight Zone
sysContact Me <me@example.org>
sysServices 72
master agentx
agentaddress 127.0.0.1,[::1],192.168.1.10
includeDir /etc/snmp/snmpd.conf.d
rouser snmpuser
- Check with the snmpwalk command:
root@host:~# snmpwalk -OQne -v 3 -t 10 -l AuthPriv -u snmpuser -a SHA1 -A SNMPbadPASS -x AES -X SNMPbadPASS 192.168.1.10 -Os 1.3.6.1.2.1.2.2.1