Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.
First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with
- rouser authPriv <– “This may be the last line by default, we don’t need it”
Alternatively, you can copy and paste the following sed commands instead of manually editing the file.
sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf
Create SNMP v3 User
We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.
sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES
You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.
Now we can start SNMPD
sudo systemctl start snmpd
My created user is not working! This could result from two different issues.
- It appears that Debian/SNMP doesn’t like pass phrases with special characters. You can try using a different password or escaping the special characters in “/var/lib/snmp/snmpd.conf” file before starting SNMPD.
- The user didn’t get added to /etc/snmp/snmpd.conf To fix, add “rouser snmpuser” (Change snmpuser to your snmp username) to the bottom of the config file.