SNMP

1. SNMP Version 1: The first version of SNMP to be implemented, version 1 was designed to be a protocol to provide device statistics and error reporting without consuming a lot of system resources. Security was limited to community strings and access controls based on the IP address of the querying server. Data communication wasn't encrypted.
2. SNMP Version 2: The second version of SNMP, often referred to as v2c, expanded the number of supported error codes, increased the size of counters used to track data, and had the ability to do bulk queries that more efficiently loaded response packets with data. SNMP v2c is backward compatible with version 1.
3. SNMP Version 3: This version provides greater security and remote configuration capabilities than its predecessors. Access isn't limited to a single community string for read-only and read/write access, as

usernames and passwords have been introduced. Views of OIDs in a MIB can also be limited on a per-user basis. Support for encrypted SNMP data transfer and transfer error detection is also provided.

• If you intend to use your Linux box to query your network devices, other servers or even itself using MRTG or any other tool, you need to have the SNMP utility tools package net-snmp-utils installed.
• Utilities
  • snmpget
  • snmpwalk

sudo apt-get install snmp

• snmpwalk
• The example below gets all the value in the interface MIB of the local server using SNMP v1

snmpwalk -v 1 -c iptel 147.10.17.96
snmpwalk -v 1 -c craz33guy localhost interface

• snmptrap

snmptrap -v 2c -c iptel -d 10.80.100.38 1002 1.3.6.1.4.1.161.1.1.0

• Install snmpd package

sudo apt-get install snmpd

• Move existing /etc/snmp/snmpd.conf configuration file to /etc/snmp/snmpd.conf.org

mv /etc/snmp/snmpd.conf  /etc/snmp/snmpd.conf.org

• Create a new /etc/snmp/snmpd.conf file:

rocommunity  iptel
syslocation  "17/320 Pitt St, Sydney"
syscontact  eduardo.ferreira@team.telstra.com

• Edit /etc/default/snmpd
• Configure the IP address that snmpd listens on
• Enable snmptrapd which is disabled by default as of net-snmp version# 5.0
• Leave the other setting as the default

# snmpd options (use syslog, close stdin/out/err).
# replace 204.x.y.z with your public IP
# SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1 204.x.y.z'
 
# snmptrapd control (yes means start daemon).  As of net-snmp version
# 5.0, master agentx support must be enabled in snmpd before snmptrapd
# can be run.  See snmpd.conf(5) for how to do this.
TRAPDRUN=yes

• Configure SNMP trap to go to syslog facilities 2
• Edit /etc/default/snmptrapd.conf

# For Community String iptel
authCommunity log,execute,net iptel

# Log to syslog with facility level 2
logOption s 2

• Restart SNMP

sudo /etc/init.d/snmpd restart

• Stop SNMP

sudo /etc/init.d/snmpd stop 

• Create SNMPv3 user
• In this example the authentication password of “pocketmonster” for the read only (-ro) username “iptel” is encrypted using the MD5 algorithm. The data received will not be encrypted.

server:/$ sudo net-snmp-config --create-snmpv3-user -ro -a MD5 -A pocketmonster iptel

adding the following line to /var/lib/snmp/snmpd.conf:
   createUser iptel MD5 "pocketmonster" DES
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser iptel

server:/$

• Create SNMPv3 user
• To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username “iptel” and authentication password “pocketmonster” are used, but this time the data will be encrypted using the DES algorithm with the privacy password of “pocketmonster”.

server:/$ sudo net-snmp-config --create-snmpv3-user -ro -a MD5 -A pocketmonster -x DES -X pocketmonster iptel

adding the following line to /var/lib/snmp/snmpd.conf:
   createUser iptel MD5 "pocketmonster" DES pocketmonster
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser iptel

server:/$

• Restart SNMP

sudo /etc/init.d/snmpd stop 

• Your password and privilege information are stored in /var/lib/snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example.

createUser securev3user MD5 "mandeville" DES savlamar
createUser username4snmpv3 MD5 "rootsrockreggae" DES

• The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here.

usmUser 1 3 0x80001f88780711168720eb1e745
0x73656375626576337573657200
0x73656375726576337573657200
NULL .1.3.6.1.6.3.10.1.1.2 0xd951
ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2
0xf1f4bb00452211d27b50c273c09031ac 0x00
usmUser 1 3 0x80001f8880711168720eb1e745
0x757365726e61657534736e6d70763300
0x757365726e616d6534736e6d70763300
NULL .1.3.6.1.6.3.10.
1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd
.1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""
setserialno 1464593474

• To test non-encrypted SNMPv3 data
• We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option).

[root@server ~]# snmpget -v 3 -u iptel -l authNoPriv -a MD5 -A pocketmonster 147.10.33.67 SNMPv2-MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
[root@server ~]#

• To test encrypted SNMPv3 data

[root@server ~]# snmpget -v 3 -u iptel -l authPriv -a MD5 -A pocketmonster -x DES -X pocketmonster 147.10.33.67 SNMPv2-MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
[root@server ~]#