SNMP Version 3 on Linux
Server - CentOS

SNMP provide three versions, two of which there is almost no security. Version 3 the most secure option must be made secure as well. This simple chart illustrates the security issues. Note there are three different levels for SNMP so do not make the mistake that they are all secure, they are not.

Version

Level

Authentication

Encryption

Description

SNMPv1

noAuthNoPriv

Community String

No

Match Community String

SNMPv2

noAuthNoPriv

Community String

No

Match Community String

SNMPv3

noAuthNoPriv

Username

No

Match Username

 

authNoPriv

MD5 or SHA

No

Auth Based on Algorithms

 

authPriv

MD5 or SHA

Yes - DES

Auth Algorithms and Encryption

 

Setting Up SNMP on Linux

 

yum install -y net-snmp net-snmp-utils net-snmp-devel

 

Copy the file created in /etc/snmp to a backup so you can work with an easier file.

cd /etc/snmp
mv snmpd.conf bk.snmp.conf

Now edit a new snmp.conf file.

 

Create the file and place replace the “192.168.5.0/24 public” with your network and community string. Note the view includes the whole tree by using “.1”.

 

##### SNMP Configuration Versions 1 and 2 #####

##### Community String #####

com2sec notConfigUser 192.168.5.0/24 public

##### Security Name #####

group notConfigGroup v1 notConfigUser

group notConfigGroup v2c notConfigUser

##### View of Tree #####

view all included .1 80

#####

access notConfigGroup "" any noauth exact all none none

 

Save and restart the snmpd daemon.

 

service snmpd restart

 

From another location on your network you should be able to walk the tree if the firewall on the box permits access to port 161 UDP.

snmpwalk -v2c -c public 192.168.5.195

 

You should also be able to walk the SNMP tree using SNMP version 1.

snmpwalk -v1 -c public 192.168.5.195

Blocking SNMP versions 1 and 2. Simply by commenting out the line for each version and restarting snmpd, the version is now blocked.

#group notConfigGroup v2c notConfigUser

 

snmpwalk -v2c -c public 192.168.5.195

Timeout: No Response from 192.168.5.195

 

 

So now you have a basic understanding of the versions. Now add some new lines for a version 3 user. Edit the snmpd.conf file and add these two lines, save and restart snmpd.

 

##### SNMP v3 User #####

createUser user1

rouser user1 noauth 1.3.6.1.2.1.1

 

Note that this user's access to the tree has been restricted by using the 1.3.6.1.2.1.1

 

snmpget -v 3 -u user1 -l NoauthNoPriv 192.168.5.195 1.3.6.1.2.1.1.1.0

iso.3.6.1.2.1.1.1.0 = STRING: "Linux webmin 2.6.18-194.26.1.el5.028stab079.2 #1 SMP Fri Dec 17 19:25:14 MSK 2010 i686"

 

So at this point you have a SNMP version 3 user who is accessing information just as insecurely as versions 1 and 2.

 

At this point you want to create a secure user for access. Keep in mind if you create a MD5 password it must be at least 8 characters in length. Here is the format.

 

net-snmp-config --create-snmpv3-user -a user_password username

 

Here is the command and results.

 

net-snmp-config --create-snmpv3-user -a netinlinux23 netuser

adding the following line to /var/lib/net-snmp/snmpd.conf:

createUser netuser MD5 "netinlinux23" DES

adding the following line to /etc/snmp/snmpd.conf:

rwuser netuser

 

This will add a line to the end of your snmpd.conf file. Now start and test the snmpd daemon.

 

snmpget -v 3 -u netuser -l authNoPriv -a MD5 -A netinlinux23 192.168.5.195 1.3.6.1.2.1.1.1.0

iso.3.6.1.2.1.1.1.0 = STRING: "Linux webmin 2.6.18-194.26.1.el5.028stab079.2 #1 SMP Fri Dec 17 19:25:14 MSK 2010 i686"

 

You now have a secure, encrypted connection to the Linux box.