This post first appeared on Redhat’s Enable Sysadmin community. You can find the post here.
Simple Network Management Protocol, or SNMP, has been around since 1988. While initially intended as an interim protocol as the Internet was first being rolled out, it quickly became a de facto standard for monitoring — and in some cases, managing — network equipment. Today, SNMP is used across most networks, small and large, to monitor the very equipment you likely passed through to get to this blog entry.
There are three primary flavors of SNMP: SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 is, by far, the more popular flavor, despite being considered obsolete due to a complete lack of discernible security. This is likely because of the simplicity of SNMPv1 and that it’s generally used inside of the network and not exposed to the outside world.
The problem, however, is that SNMPv1 and SNMPv2c are unencrypted and even the community string used to “authenticate” is sent in the clear. An attacker can simply listen on the wire and grab the community as it passes by. This gives the attacker access to valuable information on your various devices, and even the ability to make changes if write access is enabled.
But wait, you may be thinking, what about SNMPv3? And you’re right, SNMPv3 *can* be more secure by using authentication and encryption. However, not all devices support SNMPv3 and thus interoperability becomes an issue. At some point, you’ll have to drop down to SNMPv2c or SNMPv1 and you’re back to the “in the clear” issue.
Despite the security shortcoming, SNMP can still be used without compromising the security of your server or network. Much of this security will rely on limiting use of SNMP to read-only and using tools such as iptables to limit where incoming SNMP requests can source from.
To keep things simple, we’ll worry about SNMPv1 and SNMPv2c in this article. SNMPv3 requires some additional setup and, in my opinion, isn’t worth the hassle. So let’s get started with setting up SNMP.
First things first, install the net-snmp package. This can be installed via whatever package manager you use. On the Redhat based systems I use, that tool is yum.
$ yum install net-snmp
Next, we need to configure the snmp daemon, snmpd. The configuration file is located in /etc/snmp/snmpd.conf. Open this file in your favorite editor (vim FTW!) and modify it accordingly. For example, the following configuration enables SNMP, sets up a few specific MIBs, and enables drive monitoring.
################################################################################ # AGENT BEHAVIOUR agentaddress udp:0.0.0.0:161 ################################################################################ # ACCESS CONTROL # ------------------------------------------------------------------------------ # Traditional Access Control # ------------------------------------------------------------------------------ # VACM Configuration # sec.name source community com2sec notConfigUser default mysecretcommunity # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.2.2 view systemview included .1.3.6.1.2.1.25 view systemview included .1.3.6.1.4.1.2021 view systemview included .1.3.6.1.4.1.8072.1.3.2.4.1.2 # group context sec.model sec.level prefix read write notif access notConfigGroup "" any noauth exact systemview none none # ------------------------------------------------------------------------------ # Typed-View Configuration ################################################################################ # SYSTEM INFORMATION # ------------------------------------------------------------------------------ # System Group sysLocation The Internet sysContact Internet Janitor sysServices 72 sysName myserver.example.com ################################################################################ # EXTENDING AGENT FUNCTIONALITY ############################################################################### ## Logging ## ## We do not want annoying "Connection from UDP: " messages in syslog. ## If the following option is set to 'no', snmpd will print each incoming ## connection, which can be useful for debugging. dontLogTCPWrappersConnects no ################################################################################ # OTHER CONFIGURATION disk / 10% disk /var 10% disk /tmp 10% disk /home 10%
Next, before you start up snmpd, make sure you configure iptables to allow SNMP traffic from trusted sources. SNMP uses UDP port 161, so all you need is a simple rule to allow traffic to pass. Be sure to add an outbound rule as well; UDP traffic is stateless.
iptables -A INPUT -s <ip addr> -p udp -m udp --dport 161 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 161 -j ACCEPT
You can set this up in firewalld as well, just search for SNMP and firewalld on Google.
Now that SNMP is set up, you can point an SNMP client at your server and pull data. You can pull data via the name of the MIB (if you have the MIB definitions installed) or via the OID.
$ snmpget -c mysecretcommunity myserver.example.com hrSystemUptime.0 HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (6638000) 18:26:20.00 $ snmpget -c mysecretcommunity myserver.example.com .1.3.6.1.2.1.25.1.1.0 HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (6638000) 18:26:20.00
And that’s about it. It’s called SIMPLE Network Management Protocol for a reason, after all.
One additional side note about SNMP. While SNMP is pretty solid, the security shortcomings are significant. I recommend looking at other solutions such as agent-based systems versus using SNMP. Tools like Nagios and Prometheus have more secure mechanisms for monitoring systems.