Saturday, March 5, 2016

SNMP v3 Configuration in CentOS or RHEL 6

Good evening IT Pros!

Tonight’s post is a quick overview of setting up a simple SNMP v2c community and SNMP v3 read only user in CentOS v6.x or Red Hat Enterprise Linux (RHEL) v6. I'm not going to get into the nitty gritty of every single line in the config file or the "why". The purpose of this post is to at least lead you in the right direction with getting a 'more secure' SNMP configuration set up in your environment on your CentOS/RHEL servers. There is always a better security configuration out there.

I’ll post a follow up on how to get this done in CentOS/RHEL v7 at a later time. This article assumes that you are somewhat familiar with how to execute shell commands and work with the vim text editor. I also assume that the following is set up:
  • SELinux is enabled, hence the firewall is enabled too and is probably not allowing SNMP traffic in/out of the server.
  • You have SUDO and/or ROOT access to the server.
  • Net-SNMP is not installed yet.
Configuring and setting up SNMP is very straightforward. I will describe the process by the following steps:
  1. Install Net-SNMP using the yum package manager.
  2. Create an SNMP configuration file.
  3. Create your SNMPv3 user.
  4. Allow SNMP traffic through the firewall.
  5. Ensure the SNMP daemon starts at boot time.
  6. Profit.
So let’s get started!

Install net-snmp

If SNMP is not yet installed on your server, execute the following shell command:

sudo yum -y install net-snmp net-snmp-utils

Create an SNMP configuration file

When net-snmp is installed on the machine, a sample/default file is created. So lets move that file to a new location because we are not going to use it. Execute,

sudo mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

Next, lets create a new file from scratch:

sudo vim /etc/snmp/snmpd.conf

Hit 'i' to enter insert mode, then enter in the following text:

# Basic SNMP Community Information
# Note Source IPs. Enter in your own IPs that will be allowed to communicate with the service.
# It is recommended to allow localhost so you can run tests with snmpwalk.
# Otherwise omit localhost if it is not needed.
# You can list allowed subnets if you wish. Example below.
#           Community.Name  Source.IP.Allowed
rocommunity public
rocommunity public
rocommunity public

# Optional location information
syslocation MyLocation

# Optional contact information
syscontact Super User <>

# SNMP v3 User Information

** Note that the last line is commented out by the '#' and there is nothing in the SNMP v3 User Information section yet. Also, do NOT use "public". Define your own community name.

Save the file and exit by hitting Esc, then :wq to save and quit.

Reload the SNMP configuration then restart the service by executing in order:

sudo service snmpd reload
sudo service snmpd restart

At this point, SNMP v2c communities are set up and running. However we still need to create the SNMP v3 user and allow the traffic through the firewall for remote hosts (such as your SolarWinds, SCOM, or Nagios server).

Create the SNMP v3 User

In this example, the read only SNMP v3 user we are going to create in this example defines three things
  • snmpv3user = Rename this to the user name you desire.
  • snmpv3authentication = Define your user authetication key here.
  • snmpv3privacy = Define your privacy key here.
Execute the following commands in order to create your user:

sudo service snmpd stop
sudo net-snmp-create-v3-user -ro -A snmpv3authentication -a SHA -X snmpv3privacy -x AES snmpv3User
sudo service snmpd reload
sudo service snmpd restart

** This specific user, with these specific options, is set up with SHA authentication and AES 128 bit privacy.

So now the core configuration for SNMP v2c communities and your v3 user are now set up. Lets finish this excersize by creating the firewall rules to allow the monitoring traffic in/out.

Create an IPTABLES rule to allow SNMP traffic

Execute the following commands,

sudo iptables -A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT

** This iptables rule allows SNMP communication from ALL inbound IP addresses.

Set SNMP to Run at Boot Time

Finally execute,

sudo chkconfig snmpd on

From this point, you can now add in your CentOS/RHEL server to your monitoring system via SNMP v2c (as defined by your community you selected), or by SNMP v3 user you created.

Next, I'll post the instructions for CentOS/RHEL 7 since the commands are completely different thanks to the changes to firewalld and systemd.

- Joe