How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus (bestmonitoringtools.com)
Enter configuration mode
enable conf t
Everything in bold you should look at changing.
snmp-server view ViewDefault iso include snmp-server group GroupName v3 priv read ViewDefault snmp-server location address snmp-server user MyUsername GroupName v3 auth sha AuthPass1 priv aes 128 PrivPass
Exit and save changes
exit write
Now we can verify the snmp details with
show snmp
With support for DES being dropped, you may be faced with having to upgrade device settings to AES. In this post we’ll explore changing the settings in LibreNMS for all Mikrotik devices and then touch on making changes to a group of Mikrotik devices.
In LibreNMS, we can go to Device -> Device Settings (Gear on the right hand side) -> SNMP, to set the SNMP settings for that device.
Since this would get rather boring to change on multiple devices, and these settings are all in a MySQL database, we can skip using the mouse and use a few MySQL commands to update multiple devices at once.
Log into the LibreNMS server over ssh and then connect to the MySQL database
mysql -u librenms -p librenms
First we can get a list of all the devices (Mikrotik routers in this example) and show the hostname with the SNMP authentication and cryptography algorithms.
select hostname,authalgo,cryptoalgo from devices where os="routeros";
Now if we want to update the cryptography settings for all of our Mikorotik devices, we can do the following.
update devices cryptoalgo set cryptoalgo="AES" where os="routeros";
This will set all of the devices to use AES for the cryptography algorithm.
We can also change the authentication algorithm to SHA with this
update devices authalgo set authalgo="SHA" where os="routeros";
The bottom “script” can be used for changing SNMP settings on multiple Mikrotik devices.
Create a mikrotik.lst file with all the IP addresses of all the devices you need to update. Can you use the above MySQL commands to get a list from LibreNMS.
Change the following options in the script
for ip in `cat mikrotik.lst`
do
echo $ip
timeout 15 sshpass -p 'routerpassword' ssh -o StrictHostKeyChecking=no admin@${ip} -p1022 '/snmp community set addresses=192.168.0.0/16 authentication-protocol=SHA1 authentication-password=authpassword encryption-protocol=AES encryption-password=encryptionpassword security=private read-access=yes write-access=no SNMPname'
done
Copy and paste the above “code” in a shell script file.
nano mikrotik.sh chmod +x mikrotik.sh ./mikrotik.sh
The script should run and update all the SNMP settings on all the devices in mikrotik.lst
Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.
First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with
Alternatively, you can copy and paste the following sed commands instead of manually editing the file.
sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf
We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.
sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES
You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.
Now we can start SNMPD
sudo systemctl start snmpd
My created user is not working! This could result from two different issues.
These steps should be similar across Red Hat type distros.
Before we proceed, lets stop SNMP
sudo systemctl stop snmpd
First we are going to disable SNMP v1 and v2c
You can manually edit the /etc/snmp/snmpd.conf file and comment out or delete every line starting with com2sec, group, access. Or you can run the following sed commands to change it for you.
sudo sed -i 's/^com2sec/# com2sec/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^group/# group/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^access/# access/g' /etc/snmp/snmpd.conf
https://serverfault.com/questions/376688/how-to-disable-version-1-and-version-2c-in-snmpd
Follow the prompts to create a SNMP v3 user.
sudo net-snmp-create-v3-user -ro -a SHA -x AES
Start SNMP
sudo systemctl start snmpd
You should be good to go.
If you are running a firewall, you will need to allow an exception for SNMP, UDP port 161. You may also need to allow an SELinux exception. Check out the last portion of both these articles.
Change AuthPass and CryptoPass to their respective passwords.
If needed, change MD5 to SHA1 and DES to AES.
snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost
The following works for setting the snmpv3 configuration on cambium 450i 900’s. Once applied it’ll run change the SNMP settings and reboot the radio.
You’ll need to find the hashed password which can be found in a config backup.
Change the SNMP username/community as needed.
{
"userParameters": {
"snmpConfig": {
"user2Group": 0,
"snmpv3EngineId": "007000a9840a003e464e7a",
"rwAuthPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"commStringROnly": "rocommunitystring2",
"user2PrivPassword": "",
"user1AuthPassword": "",
"snmpv3AuthProt": 0,
"snmpv3TrapEnable": 0,
"snmpv3PrivProt": 0,
"snmpMibPerm": 1,
"roAuthPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"commStringRW": "communitystring",
"userGroup1": 0,
"user1Enable": 0,
"snmpv3SecLvl": 2,
"user2Enable": 0,
"rwUserName": "Canopy",
"roUserName": "snmpv3user",
"roPrivPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"userName1": "",
"snmpPort": 161,
"rwUserEnable": 0,
"trapDomainNameAppend": 0,
"rwPrivPasswordEncrypted": "3e5h24a694a515e81abb6b25986cea91",
"user1PrivPassword": "",
"userName2": "",
"user3PrivPassword": "",
"user2AuthPassword": "",
"userName3": "",
"user3Enable": 0,
"snmpTrapPort": 162,
"user3AuthPassword": "",
"user3Group": 0,
"trapDelayAfterBootup": 5,
"snmpIpAccessFilter": [
{
"address": "192.168.0.0",
"netmask": 24
},
{
"address": "10.0.1.0",
"netmask": 24
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
},
{
"address": "0.0.0.0",
"netmask": 0
}
],
"snmpTrapAddresses": [
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
]
},
}
Setting up SNMP via WinBox is straight forward, the following commands are how to set it up from the command line with some troubleshooting info at the end.
Setup Community (Change v3Private,encpass, and authpass to their respective names or passwords)
snmp community add name=v3Private encryption-protocol=AES encryption-password=encpass authentication-protocol=SHA1 authentication-password=authpass security=private
Enable and set SNMP community (Trap Community needs to match the above command. Change contact and the location as needed.)
snmp set contact=admin@incredigeek.com location=DeviceLocation trap-community=V3Private
Sometimes, for no apparent reason it seems, routerOS will have issues using the default community. Work around is to create and use a new community.
Cannot connect with AES encryption
AES doesn’t always seem to work reliably. Seems to work on some and not other. Work around is to use DES.
Note that DES is deprecated on newer systems. For example, you will not be able to read the SNMP details on a router that uses DES from a machine running AlmaLinux 9. AES seems to be working fine now in 2023.
Log shows Permission Denied
Double check the allowed from addresses, user, and passwords
Don’t know if this is the recommended way to delete a user, but it seems to work.
sudo service snmpd stop
Open up the snmpd.conf file in /var/lib and find the line with the SNMP user and delete the line
sudo vi /var/lib/snmp/snmpd.conf
The above file may be in the following location on RPM based systems.
sudo vi /var/lib/net-snmp/snmpd.conf
Save, exit, and start snmpd
sudo service snmpd start
These steps work for Ubuntu, but should work for any Debain based distro as well as CentOS, Fedora, RedHat etc.
Where AuthPass is your SNMPv3 Authorization password and CryptoPass is your SNMPv3 Encryption password.
snmpwalk -v3 -a MD5 -A AuthPass -x DES -X CryptoPass -l authPriv -u privUser localhost
If your not using encryption you should be able to drop the “-x des” and “-X CryptoPass” option, and change the “-l” option “authPriv” to “authNoPriv”
SSH into the VMware server
ssh root@vmwareserver
Set the auth and priv types
esxcli system snmp set -a MD5 -x AES128
Generate hashes
The hashes are needed to create the user. Replace authpass and privhash to the password you want.
esxcli system snmp hash --auth-hash authpass --priv-hash privhash --raw-secret
Create user
Replace authhash and privhash with the auth and priv hashes returned from the above command.
esxcli system snmp set -e yes -C contact@incredigeek.com -u snmpuser/authhash/privhash/priv
Single line Command
Change authpassword and privpassword to your authentication and private passwords.
authpass="authpassword" && privpass="privpassword" && esxcli system snmp set -a MD5 -x AES128 && esxcli system snmp hash --auth-hash ${authpass} --priv-hash ${privpass} --raw-secret && esxcli system snmp set -e yes -C ${contact} -u snmpuser/${authhash}/${privhash}/priv
View SNMP Configuration
esxcli system snmp get