Hardening SNMP on Debian

Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.

Modify /etc/snmp/snmpd.conf

First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with

  • rocommunity
  • view
  • rouser authPriv <– “This may be the last line by default, we don’t need it”

Alternatively, you can copy and paste the following sed commands instead of manually editing the file.

sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf

Create SNMP v3 User

We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.

sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES

You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.

Debian SNMP Error

Now we can start SNMPD

sudo systemctl start snmpd

Troubleshooting

My created user is not working! This could result from two different issues.

  1. It appears that Debian/SNMP doesn’t like pass phrases with special characters. You can try using a different password or escaping the special characters in “/var/lib/snmp/snmpd.conf” file before starting SNMPD.
  2. The user didn’t get added to /etc/snmp/snmpd.conf To fix, add “rouser snmpuser” (Change snmpuser to your snmp username) to the bottom of the config file.

Hardening SNMP on CentOS/RedHat/Fedora Etc.

These steps should be similar across Red Hat type distros.

Before we proceed, lets stop SNMP

sudo systemctl stop snmpd

Disable SNMP Versions 1 and 2c

First we are going to disable SNMP v1 and v2c

You can manually edit the /etc/snmp/snmpd.conf file and comment out or delete every line starting with com2sec, group, access. Or you can run the following sed commands to change it for you.

sudo sed -i 's/^com2sec/# com2sec/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^group/# group/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^access/# access/g' /etc/snmp/snmpd.conf

https://serverfault.com/questions/376688/how-to-disable-version-1-and-version-2c-in-snmpd

Create SNMP Version 3 User

Follow the prompts to create a SNMP v3 user.

sudo net-snmp-create-v3-user -ro -a SHA -x AES

Start SNMP

sudo systemctl start snmpd

You should be good to go.

If you are running a firewall, you will need to allow an exception for SNMP, UDP port 161. You may also need to allow an SELinux exception. Check out the last portion of both these articles.

Allowing SNMP Through Firewall

cnMaestro configuration for SNMPv3

The following works for setting the snmpv3 configuration on cambium 450i 900’s. Once applied it’ll run change the SNMP settings and reboot the radio.

You’ll need to find the hashed password which can be found in a config backup.
Change the SNMP username/community as needed.

{
"userParameters": {
"snmpConfig": {
"user2Group": 0,
"snmpv3EngineId": "007000a9840a003e464e7a",
"rwAuthPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"commStringROnly": "rocommunitystring2",
"user2PrivPassword": "",
"user1AuthPassword": "",
"snmpv3AuthProt": 0,
"snmpv3TrapEnable": 0,
"snmpv3PrivProt": 0,
"snmpMibPerm": 1,
"roAuthPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"commStringRW": "communitystring",
"userGroup1": 0,
"user1Enable": 0,
"snmpv3SecLvl": 2,
"user2Enable": 0,
"rwUserName": "Canopy",
"roUserName": "snmpv3user",
"roPrivPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"userName1": "",
"snmpPort": 161,
"rwUserEnable": 0,
"trapDomainNameAppend": 0,
"rwPrivPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"user1PrivPassword": "",
"userName2": "",
"user3PrivPassword": "",
"user2AuthPassword": "",
"userName3": "",
"user3Enable": 0,
"snmpTrapPort": 162,
"user3AuthPassword": "",
"user3Group": 0,
"trapDelayAfterBootup": 5,
"snmpIpAccessFilter": [
{
"address": "192.168.0.0",
"netmask": 24
},
{
"address": "10.0.1.0",
"netmask": 24
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
}
],
"snmpTrapAddresses": [
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
]
},
}

Setup SNMPv3 on Mikrotik Router

Setting up SNMP via WinBox is straight forward, the following commands are how to set it up from the command line with some troubleshooting info at the end.

Setup SNMPv3

Setup Community (Change v3Private,encpass, and authpass to their respective names or passwords)

snmp community add name=v3Private encryption-protocol=AES encryption-password=encpass authentication-protocol=SHA1 authentication-password=authpass security=private

Enable and set SNMP community (Trap Community needs to match the above command.  Change contact and the location as needed.)

snmp set contact=admin@incredigeek.com location=DeviceLocation trap-community=V3Private

Troubleshooting

Sometimes, for no apparent reason it seems, routerOS will have issues using the default community.  Work around is to create and use a new community.

Cannot connect with AES encryption

AES doesn’t always seem to work reliably.  Seems to work on some and not other.  Work around is to use DES.

Note that DES is deprecated on newer systems.  For example, you will not be able to read the SNMP details on a router that uses DES from a machine running AlmaLinux 9.  AES seems to be working fine now in 2023.

Log shows Permission Denied

Double check the allowed from addresses, user, and passwords

Delete SNMPv3 User on Linux

Don’t know if this is the recommended way to delete a user, but it seems to work.

sudo service snmpd stop

Open up the snmpd.conf file in /var/lib and find the line with the SNMP user and delete the line

sudo vi /var/lib/snmp/snmpd.conf

The above file may be in the following location on RPM based systems.

sudo vi /var/lib/net-snmp/snmpd.conf

Save, exit, and start snmpd

sudo service snmpd start

These steps work for Ubuntu, but should work for any Debain based distro as well as CentOS, Fedora, RedHat etc.

SNMPv3 snmpwalk

Where AuthPass is your SNMPv3 Authorization password and CryptoPass is your SNMPv3 Encryption password.

snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost

If your not using encryption you should be able to drop the “-x des” and “-X CryptoPass” option, and change the “-l” option “authPriv” to “authNoPriv”

Setup SNMP v3 on Debian or Ubuntu

All the following commands should work on Ubuntu, or just about any other Debian based Linux distro.  If you have a firewall on the server, you’ll need to allow UDP on port 161.

Install SNMP

Install snmp, snmpd, and libsnmp.

sudo apt-get -y install snmp snmpd libsnmp-dev

Stop the snmpd service so we can add a user

sudo service snmpd stop

Add SNMP v3 user

  • Change AuthPassword to your Authentication password
  • Change CryptoPassword to your Crypto Password
  • Change privUser to your private users username
sudo net-snmp-config --create-snmpv3-user -ro -A AuthPassword -X CryptoPassword -a MD5 -x AES privUser

Change System Location, System Contact, and allow SNMP on all interfaces

Open up the SNMP config file usually in /etc/snmp/snmpd.conf

vi /etc/snmp/snmpd.conf

Search for “sysLocation”  and change to whatever your system location is.

Search for “sysContact” and change it.  It should be right underneath sysLocation.

Now allow SNMP on all interfaces.  Find the following line and comment it out.

agentAddress udp:127.0.0.1:161

Add a # to the beginning.

#agentAddress udp:127.0.0.1:161

Now find this line (should be a couple lines down from the line you just commented out)

#agentAddress udp:161,udp6:[::1]:161

and uncomment it

agentAddress udp:161,udp6:[::1]:161

That will enable it so you can read the SNMP info using the servers IP address, as opposed to being limited to localhost.

Start the SNMP service and Test

Start the SNMP service

service snmpd start

Test with

snmpwalk -v3 -a MD5 -A AuthPassword -X CryptoPassword -l authNoPriv -u privUser localhost

 

Setting up SNMP V3 on CentOS

Install SNMP.

yum install net-snmp net-snmp-utils

Configure the SNMP V3 user by running the following command and then following the prompts it gives you.

net-snmp-create-v3-user

Example: The username is “snmpadmin” and the password is”r123456″

[root@localhost ~]# net-snmp-create-v3-user
Enter a SNMPv3 user name to create:
snmpadmin
Enter authentication pass-phrase:
r123456
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]

adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser snmpadmin MD5 "r123456" DES
adding the following line to /etc/snmp/snmpd.conf:
   rwuser snmpadmin
[root@localhost ~]#

Change the syslocation and syscontact in the /etc/snmp/snmpd.conf file.

vi /etc/snmp/snmpd.conf

Start snmpd service

service snmpd start

Configure snmp to start on system boot.

chkconfig snmpd on

Test and make sure snmp is working

replace “password” and “username” with the ones you setup when you created the SNMP V3 user.

snmpwalk -v3 -a MD5 -A password -x DES -X password -l authPriv -u privuser localhost

If you receive something like “snmpwalk: Timeout” then something is not working correctly.  Check to make sure the service is started, and make sure that your firewall is not blocking SNMP.

If you are running a firewall, run the following commands to allow it through.

firewall-cmd --zone=public --add-port=161/udp --permanent
semanage port -a -t snmp_port_t -p udp 161
firewall-cmd --reload

On iptables you should be able to do

 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 161 -j ACCEPT

or add it to /etc/sysconfig/iptables and then restart iptables

SNMP and Shell Script

First you will need to make sure SNMP is installed.

apt-get install snmpd snmp snmp-mibs-downloader

You’ll need to configure a new snmpd.conf file with

snmpconf

Run through the steps and when your done replace your current snmpd.conf file in /etc/snmp/ with the new one.

Now open up your new snmpd.conf file

vi /etc/snmp/snmpd.conf

and add the following to the bottom of the file.

extend myshscript /path/to/your.sh

Save and close the file and restart the snmpd service.

service snmpd restart

Now we need to find the OID of our new data point.  Do this by running

snmpwalk -v2c -c public localhost .1.3.6.1.4.1.8072.1.3.2

It should display something similar to the following.

root@localhost:/etc/snmp# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.8072.1.3.2
iso.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.2.4.118.111.108.116 = STRING: "/etc/snmp/volt.sh"
iso.3.6.1.4.1.8072.1.3.2.3.1.4.4.118.111.108.116 = INTEGER: 0
iso.3.6.1.4.1.8072.1.3.2.4.1.2.4.118.111.108.116.1 = STRING: "14.3"
root@localhost:/etc/snmp#

The OID we are interested in is the one on the last line.  If you run a snmpwalk command with the OID you should get your data point.

root@localhost:/etc/snmp# snmpwalk -v2c -c public localhost 1.3.6.1.4.1.8072.1.3.2.4.1.2.4.118.111.108.116.1
iso.3.6.1.4.1.8072.1.3.2.4.1.2.4.118.111.108.116.1 = STRING: "14.3"
root@localhost:/etc/snmp#

All that’s left is to add the OID to your SNMP monitor.  If You run into issues with your SNMP server not monitoring the OID, you might need do what I did in the above command, replace the beginning of the OID “iso.” with a “1”.

 

Basic snmpwalk Commands

A snmpwalk basically allows you to walk out all the SNMP OIDs for a device.  The following command shows all SNMP data that can be acquired on “localhost”.  You can change “localhost” to an ip address or hostname if you want to view SNMP data on a remote machine.

snmpwalk -v 2c -c public localhost

The above command starts an snmpwalk against “localhost”, using SNMP version “2c”, and the community string “public”.  You should change the SNMP version and community string to what ever you have setup on your network.

If you just want to view one OID then you can just append that OID to the end of the above command.

snmpwalk -v 2c -c public 192.168.1.58 1.2.840.10036.3.1.2.1.4