Net-SNMP - How-to, Tips and Tricks

We recently setup opennms to monitor the status of a medium sized company with several Linux based servers. (opennms can monitor winows servers too.) The biggest challenge when setting up and configuring the system turned out not to be opennms itself, but rather snmp on servers.

SNMP - version 1,2c and 3

Setting up net-snmp version 1 and 2c is relatively easy but then, because of its poor security, you can only really use it on your internal or green network, and even then only if your assessment of attack from an internal sources low. (Be warned that research has shown that most attacks occur from the inside by employees.)

So the only real alternative is to use version 3 of snmp, with authentication and encryption of data. To monitor the server we installed net-snmp the standard on Linux boxes. The servers where running a mix of Redhat, Debian, Gentoo.

I found the net-snmp site full of information but really battled to get snmp version 3 running based on their documentation. Its not that there is a lot missing from their documentation, but it seems that the various distros implement thing differently and there are annoying small difference between the various versions of net-snmp that can result in many hours of fustration.

Basic how-to for setting up net-snmp with v 3 users and security

First, I will give a basic run down of how to setup net-snmp, and then list the lessons we learned. A general note: You can choose MD5/SHA for password encryption and DES for data encryption. We chose to use MD5 and DES. You can have a different passphrase for the data encryption and password encryption or have them the same. Most of the utilities will take the encryption passphrase to be the same as the password passphrase if it is left out.

1. install the snmp deamon on the server. This is something like "yum install net-snmp" for redhat and "apt-get install snmpd" for debian and "emerge net-snmp" for gentoo.
2. Some of the distributions require you to install the snmp utilities, such as snmpconf and snmpwalk separately. For redhat do a "yum install net-snmp-utils" and debian "apt-get install snmp" (note the missing "d" from "snmp") and "apt-get install libsnmp9-dev". Without the utilities its pretty difficult to test things.
3. Check to see if there is a /etc/snmpd.conf file, if so rename it /etc/snmpd.conf.example.
4. Generate a simple smnpd.conf file by running "snmpconf" command. If you don't have the command installed make sure you installed the snmp utilities package for you distro. This command will ask a couple of questions with simple menus and will allow you to setup a basic snmpd configuration. From here you can also setup your security requirements. We selected snmpd version 3 and entered the necessary information. You will be asked for a user, encryption type, security level (choose priv for encyption of information.), and OID level (just leave this blank for all.) Note this will setup the access rules for the user you specify but not the user itself.
5. Unless you are running a huge server-farm or data-centre with multiple operators and help-desk staff its easiest to setup a single readonly user. For security reasons we never implemented a user with write access. Net-snmp allows for far more refined access control if you so desire but will require manual editing of the config file (see the example snmpd.conf file that comes with your distro.).
6. Once the new snmpd.conf file has been created copy it over to /etc/snmp/snmd.conf.
7. Now you need to setup the version 3 user. To do this there are two recommended ways. The first is to add the following line to snmpd.conf 'createUser <username> MD5 "password" DES'. The other is to run "net-snmp-config --createuser -a MD5 -A password -x DES -X password -u <username>"
8. Restart /etc/inint.d/snmpd and then test your config with "snmpwalk -v 3-l priv -u <username> -a MD5 -A password -x DES -X password <host>"

Problems and issues when setting up net-snmp

1. When creating the snmpd.conf file via the "snmpconf" utility you can choose to use priv or auth for your v3 user. We chose priv as this enables encryption as well as authentication.
2. We found that the way to create the v 3 user differed from distribution to distribution. In some cases we had to add 'createUser <username> MD5 "password" DES' to the /etc/snmpd.conf file. Other times we had to add it to /var/lib/net-snmp/snmpd.conf files, or we could only get it to work by running "net-snmp-config --createUser". The documentation tells you to use "net-snmp-config" or to edit /var/lib/snmp/snmpd.conf" files but on some distro's there was no "net-snmp-config" utility, on others adding the user to /var/lib/snmp/snmpd.conf did not work. We had to add the user to /etc/snmpd.conf.
3. When including the 'createUser' directive in the config files the quotes around the password are important. eg 'createUser <username> MD5 password DES' would not work. You need the quotes eg: 'createUser <username> MD5 "password" DES'. When using the net-snmp-config utility quotes are not needed, if I remember correctly now.
4. On debian you need to edit /etc/defaults/snmp otherwise the deamon will only listen on localhost (127.0.0.1) and will not respond to queries on its other ips.
5. Different version of snmpwalk uses slightly different options to the -l (security level) option. Assuming you have setup your user to use the priv security level some distros require just "-l priv" others require "-l authPriv" as the option. (We used priv, if you use auth for the user access then the options will be different. Just run snmpwalk without any parameters to see the options available to you.)