How to enable SNMP v3 in CentOS or RedHat Linux?

SNMP stands for Simple Network Management Protocol. It’s an application-layer protocol designed to monitor the network devices on a network. It is widely used in network devices and server’s monitoring.

There are two stakeholders in SNMP based monitoring.

1. SNMP Manager / Monitoring system: This is our monitoring server. It lies in your environment. It queries the target servers/devices.
2. SNMP agent: This agent is running on the target servers or devices. It answers back the queries from the SNMP manager.

This post covers how to enable SNMP on a CentOS/RHEL Linux. I wrote about monitoring the servers using AWS CloudWatch agent in my previous post. 5 Steps to Monitor Lightsail VM using Amazon Cloud Watch I written about a easier way (not en efficient way) of monitoring servers. This is the methodology I was referring to. You need a monitoring system that supports SNMP to use this technique.

You need to do this in two steps –

1. SNMP library installation
2. SNMP v3 configuration

SNMP Library Installation:

Firstly, you need to install net-snmp packages on the Linux. The following command would help you.

sudo yum install net-snmp net-snmp-utils net-snmp-devel -y
Complete!

This will install the packages and SNMP demon snmpd.

SNMP v3 configuration

SNMP has 3 versions.

1. Version 1: It was old version of SNMP. The handshake between SNMP server and the SNMP agent is based on a community string. This method is considered to be insecure. It is not expected to be used in modern networks.
2. Version 2c: It was used to address some of the limitations of version 1. Still, it inherits the community string based authentication. While it is still discouraged, it may be used in private networks where security is of great concern.
3. Version 3: It is the modern day authentication that performs the handshake using username, authentication password, privacy password, support for different encryption algorithms for authentication and privacy.

We shall see enabling SNMP v3 in this post.

Stop the snmpd service, as we are making a change.

sudo systemctl stop snmpd

Issue net-snmp-config command with the following values.

• Username: inframon
• Authentication password: authpassword
• Privacy password: privpassword
• Authentication protocol: SHA
• Privacy protocol: DES

Syntax:

net-snmp-config --create-snmpv3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username]

Example

sudo net-snmp-config  --create-snmpv3-user -A authpassword -a SHA -X privpassword -x DES inframon

Alternatively, you may issue net-snmp-create-v3-user command also.

sudo net-snmp-create-v3-user -ro -A authpassword -a SHA -X privpassword -x DES inframon

This command will add the following line to /var/lib/net-snmp/snmpd.conf:

createUser inframon SHA "***" DES ***

In addition, it will add the following line to /etc/snmp/snmpd.conf:

rouser inframon

You may verify in net-snmp config.

cat /var/lib/net-snmp/snmpd.conf
createUser myv3user SHA "***" AES ***
createUser inframon SHA "***" DES ***

We shall verify in snmp config.

cat /etc/snmp/snmpd.conf
#  See the snmpd.conf manual page, and the output of "snmpd -H".
rouser myv3user
rouser inframon

Restart the snmpd service now.

sudo systemctl enable snmpd.service
sudo systemctl restart snmpd.service

SNMP package comes with its own SNMP manager. You may do a snmpwalk to check if this is working.

snmpwalk -v3 -u inframon -l authPriv -A authpassword  -a SHA -X privpassword -x DES localhost

Snmpwalk command can be issued with a specific OID also. Following is the command to check the value of device uptime OID .1.3.6.1.2.1.1.3

snmpwalk -v3 -u inframon -l authPriv -A authpassword -a SHA -X privpassword -x DES localhost .1.3.6.1.2.1.1.3
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (24484) 0:04:04.84

Firewall

SNMP is enabled and working now. In order to monitor this server in an agentless manner, you may need to connect to SNMP port. In that case you need to open UDP port 161

firewall-cmd --zone=public --add-port=161/udp --permanent
firewall-cmd --reload

Things to know before implementing SNMP based monitoring

As a summary, SNMP monitoring is convenient. At the same time, it comes with its own handicaps as it is not widely supported by different applications. Hence it is more fit for network devices and basic server monitoring. Even when we monitor the server, when you need more insights, SNMP may not be able to support you.

SNMP manager and agent may be consuming resources. Frequent polling of large amount of data may be a concern in resource crunched machines/devices.

Microsoft Windows O/S does not have native support to SNMP v3.

For your reading –

• Monitoring Performance with Net-SNMP
• Configure the Simple Network Management Protocol (SNMP) Service in Windows Server 2003

—

This post is written as part of #WriteAPageADay campaign of BlogChatter

Image by nikitabuida on Freepik