Collecting precise information about servers and infrastructure is one of the tasks when you are a system administrator. There are numerous tools and alternatives for dealing with this information, from which many come after SNMP technology.
SNMP is the acronym for simple network management protocol. It is a manner for servers to share information about their state, and also a channel for the administer be able to modify pre-set values. Even though the protocol itself occupies little space, the structure of programs that implement SNMP may be a little complex.
In this tutorial you will configure the tools to communicate through SNMP. You will use Ubuntu 18.04 servers to demonstrate. One will be called the manager server, which will contain the SNMP manager that talks to the agent to implement network devices. The other will act on the orders from the manager server and is called agent server.
All you will need to follow this tutorial is two Ubuntu 18.04 servers with a non-root user with sudo privileges and a firewall configured with
Step 1 - Installing the SNMP Daemon and Utilities
First of all you can start exploring how SNMP can be implemented on a system by installing the daemon and tools on your Ubuntu servers.
From a local machine, log into the manager server as the non-root user:
Update the package index for the APT package manager:
sudo apt update
After, you can install the SNMP software:
sudo apt install snmp snmp-mibs-downloader
snmp package provides a collection of command line tools for issuing SNMP requests to agents. The
snmp-mibs-downloader package will help to install and manage MIB - Management Information Base files, which keep track of network objects.
Then, open a new terminal on the local machine and log into the agent server:
After, update the package index:
sudo apt update
Then, install the SNMP daemon
sudo apt install snmpd
You don’t need the
snmp-mibs-downloader package, once the agent server won’t be managing MIB files.
Once you have installed these components, you will configure your manager server.
Step 2 - Configuring the SNMP Manager Server
On your manager server, open the
/etc/snmp/snmp.conf file in the text editor with sudo privileges. We will use nano for this tutorial:
sudo nano /etc/snmp/snmp.conf
In the file, there are some comments and a line with no comments. You will now comment the
mibs : line to allow manager to import MIB files:
As the snmp packages come without MIB files due to license reasons, loading
of MIBs is disabled by default. If you added the MIBs you can reenable
loading them by commenting out the following line.
After, just save and close the
snmp.conf file. For this, press
ctrl+x followed by
ENTER (if you also use nano).
Now you are done configuring the manager server, but you will have to use the server to help configure the agent server, which consists on the next step.
Step 3 - Configuring the SNMP Agent Server
To start, open the daemon’s configuration file with sudo privileges:
sudo nano /etc/snmp/snmpd.conf
Inside the file, you will have to make some changes. They will be mainly used to bootstrap the configuration so that you will be able to manage it from another server.
First, you have to change the
agentAddress directive. Currently, it is set to only allow connections that are from the local computer. You will have to comment out the current line, and remove the comment from the line underneath, which allows connections.
Listen for connections from the local system only
Listen for connections on all interfaces (both IPv4 and IPv6)
When you define a new user, you must specify the authentication type (MD5 or SHA) as well as supply a passphrase that shall be at least eight characters. If you think about using encryption for the transfer, you must also specify the privacy protocol and optionally a privacy protocol passphrase. If no privacy protocol passphrase is supplied, the authentication passphrase will be used for the privacy protocol as well.
createUser line to the end of the file:
... createUser bootstrap MD5 temp_password DES
Now you will have to make some other changes in the file:
... rwuser bootstrap priv rwuser demo priv
After this, save and close the file.
You will implement the changes by restarting the
snmpd service on your agent server:
sudo systemctl restart snmpd
The SNMP daemon will listen for connections on port
:161. Setup UFW to allow connections from the manager server to this port:
sudo ufw allow from manager_server_ip_address to any port 161
Step 4 - Verifying Authentication to the Agent Server
Now you will test to ensure you can connect with your bootstrap account to the agent server. Before that, however, we will talk about the general structure of sending an SNMP command.
When using the suite of tools included in the
snmp package (the
net-snmp software suite), there are some patterns in the way you must call the commands. First of all you will have to authenticate with the SNMP daemon that you want to communicate with. This usually involves supplying some pieces of information. The common ones are as follows:
-v: This is used to specify the version of the SNMP protocol that you would like to use.
-c: This flag is used if you are using SNMP v1 or v2-style community strings for authentication.
-u: This parameter is used to specify the username that you wish to authenticate as. To read or modify anything using SNMP, you must authenticate with a known username.
-l: This is used to specify the security level that you are connecting with. The possible values are noAuthNoPriv for no authentication and no encryption, authNoPriv for authentication but no encryption, and authPriv for authentication and encryption. The username that you are using must be configured to operate at the security level you specify, or else the authentication will not succeed.
-a: This parameter is used to specify the authentication protocol that is used. The possible values are MD5 or SHA. This must match the information that was specified when the user was created.
-x: This parameter is used to specify the encryption protocol that is used. The possible values are DES or AES. This must match the information that was specified when the user was created. This is necessary whenever the user’s privilege specification has priv after it, making encryption mandatory.
-A: This is used to give the authentication passphrase that was specified when the user was created.
-X: This is the encryption passphrase that was specified when the user was created. If none was specified but an encryption algorithm was given, the authentication passphrase will be used. This is required when the -x parameter is given or whenever a user’s privilege specification has a priv after it, requiring encryption.
With this information, you will be able to construct your commands. Given how you set up the bootstrap user, the commands you will be using with that account will look like this:
snmp_command -u bootstrap -l authPriv -a MD5 -x DES -A temp_password -X temp_password remote_host snmp_sub_command_or_options
From the manager server, test to ensure your bootstrap account is available. Type the following to display the system information for the agent server:
snmpget -u bootstrap -l authPriv -a MD5 -x DES -A temp_password -X temp_password agent_server_ip_address 18.104.22.168.22.214.171.124.0
This will result in the following output:
SNMPv2-MIB::sysDescr.0 = STRING: Linux agent 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 :::
Step 5 - Setting Up the Regular User Account
On the manager server, you will be able to create the user from the template through the
snmpusm tool and the following general syntax:
snmpusm authentication_info agent_server_ip_address create new_user existing_user
With the authentication flags you need to pass, and leveraging the user account you already have, you can make a user that fits the user privileges you have already defined.
The command will be something like this:
snmpusm -u bootstrap -l authPriv -a MD5 -x DES -A temp_password -X temp_password agent_server_ip_address create demo bootstrap
And you should get the following message:
User successfully created.
Now you will have to change the password. Remember that it must be at least eight characters long:
snmpusm -u demo -l authPriv -a MD5 -x DES -A temp_password -X temp_password agent_server_ip_address passwd temp_password new_password
After, you will get the following message:
SNMPv3 Key(s) successfully changed.
Now you have a fully configured client-server setup that can communicate safely using the SNMP protocol.