Talk to a Security Expert Now: (800) 721-9177

Simple Network Management Protocol – SNMPv3

SNMP, or Simple Network Management Protocol, has been the go-to management protocol of choice for years. As its name declares, it is a simple and efficient way to monitor hosts. Most everything is SNMP capable these days, from servers to switches, and from firewalls to routers. Even most UPS’s and A/C units have it built in. Most installs of SNMP default to SNMPv2, which is dated technology. In 2004, SNMPv3 was introduced as a replacement for v2, touting increased security and better remote configuration. In an SNMPv2 setup, community strings (passwords) and data float by in plain text, allowing anyone in the right spot on the network to capture them. Once you have the community strings, you can query devices for information (and possibly make configuration changes!). SNMPv3 solves this problem by protecting the authentication handshake, and then encrypting all the SNMP data as it crosses the network.

In this quick how-to, I’ll show you how to setup SNMPv3 on a generic Debian Linux machine.

First, grab the snmpd package from apt:

 aptitude install snmpd

Right after SNMPD pulls down its dependencies and installs, stop the daemon:

 /etc/init.d/snmpd stop

Then we need to make a few configuration changes. For security reasons, SNMP only listens on the localhost interface by default. In order to monitor this Linux box remotely, we need to open that up. Crack open /etc/defaults/snmpd and edit the following line:

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

to read

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'

Now we need to disable the default SNMPv2, and create a SNMPv3 user. Open up /etc/snmp/snmpd.conf and scroll down and comment out all the lines starting with com2sec in this section:

#       sec.name  source          community
#com2sec paranoid  default         public
#com2sec readonly  default         public
#com2sec readwrite default         private

Since we just ‘disabled’ SNMPv2, we need to enable v3 and create a user. Use the command line utility, net-snmp-config to help to create a SNMPv3 user:

net-snmp-config --create-snmpv3-user -ro -A sadWFqeq3421 -X fferlGq5247 -a SHA -x  AES snmpv3user

-ro is read-only user
-A sadWFqeq3421 is the authentication passphrase
-X fferlGq5247 is the privacy passphrase
-a SHA is how the authentication passphrase will be stored (MD5 or SHA)
-x MD5 is how the SNMP data will be encrypted during transit (DES or AES)
snmpv3user is the name of our new user

And if the command went ok, the output should look like this:

adding the following line to /var/lib/snmp/snmpd.conf:
createUser snmpv3user SHA "sadWFqeq3421" AES fferlGq5247
adding the following line to /usr/share/snmp/snmpd.conf:
rouser snmpv3user

Lets start up the SNMPD service again:

/etc/init.d/snmpd start

Lets do a quick test to make sure it all worked ok. From another machine with SNMP installed, we can issue a command like the following to query the remote Debian machine, with our new SNMPv3 user, to check the amount of ram installed:

snmpget -v 3 -u snmpv3user -l AuthPriv -x AES -a SHA -X fferlGq5247 -A sadWFqeq3421 10.0.0.45 1.3.6.1.4.1.2021.4.5.0

UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 516528 kB

Looks like it all went well! The output of the last command shows that the machine has 516,528 kB of RAM. For some added security, you can ACL the SNMP service to your query server with some quick iptables rules. These allow ssh from anywhere, SNMP from 10.0.0.42 (your query server) and established connections. Everything else gets dropped:

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 10.0.0.42/32 -p udp -m udp --dport 161 -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

With a SNMPv3 setup, the authentication process and PDU’s (SNMP data) should be encrypted. No more ‘public’ community strings floating by in plain text. The best way to query those SNMP clients is to use a network management application (Cacti is free and a Redspin favorite).

Cacti-Graph
Happy Graphing!

Leave a Reply

Your email address will not be published. Required fields are marked *