{"id":13019,"date":"2022-06-01T11:17:45","date_gmt":"2022-06-01T08:17:45","guid":{"rendered":"https:\/\/kifarunix.com\/?p=13019"},"modified":"2024-03-09T15:53:19","modified_gmt":"2024-03-09T12:53:19","slug":"install-and-configure-snmp-on-ubuntu-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-snmp-on-ubuntu-debian\/","title":{"rendered":"Install and Configure SNMP on Ubuntu 22.04\/Debian 11"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install and configure SNMP on Ubuntu 22.04\/Debian 11. <a aria-label=\"SNMP (opens in a new tab)\" class=\"rank-math-link\" href=\"http:\/\/www.net-snmp.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">SNMP<\/a> is an acronym for Simple Network Management Protocol. It provides an agentless method of managing and monitoring of network devices and servers for health information, system metrics such as CPU load, Physical Memory usage, number of running processes, service state or any other service\/process that support polling over the&nbsp;<code>SNMP<\/code>&nbsp;protocol.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Install and Configure SNMP on Ubuntu 22.04\/Debian 11<\/h2>\n\n\n\n<p>Before you can monitor Linux hosts via SNMP using monitoring tools like Nagios\/Cacti\/LibreNMS, you first need to install and configure SNMP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install SNMP on Ubuntu 22.04\/Debian 11<\/h3>\n\n\n\n<p>The SNMP packages are available on default Ubuntu 22.04\/Debian 11 repositories.<\/p>\n\n\n\n<p>You first need to update your package cache;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Once the update is done, install SNMP on Ubuntu 22.04\/Debian 11.<\/p>\n\n\n\n<pre id=\"block-c6027bc5-5a26-43e5-831e-e4e24b4dcc2e\" class=\"wp-block-preformatted\">apt install snmpd snmp libsnmp-dev<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure SNMP on Ubuntu 22.04\/Debian 11<\/h3>\n\n\n\n<p>Once the installation is done, proceed to configure SNMP as follows.<\/p>\n\n\n\n<p>The default configuration file for SNMP is&nbsp;<code>\/etc\/snmp\/snmpd.conf<\/code>.<\/p>\n\n\n\n<p>The file is highly commented and thus, we will only make a few changes. As a result, make a copy of the original file before you can proceed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/snmp\/snmpd.conf{,.bak}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring SNMP Authentication on Ubuntu 22.04\/Debian 11<\/h3>\n\n\n\n<p>SNMP supports three versions of SNMP protocol;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SNMP <code>v1<\/code><\/li>\n\n\n\n<li>SNMP <code>v2c<\/code><\/li>\n\n\n\n<li>SNMP <code>v3<\/code><\/li>\n<\/ul>\n\n\n\n<p>Both SNMP version 1 and 2c provides authentication using&nbsp;<code><em>community string<\/em><\/code>, which is a shared secret between the agent and the client that is passed in clear text over the network<\/p>\n\n\n\n<p>SNMP version 3 supports user authentication and message encryption using a variety of protocols and is thus a bit more secure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"brid-System_Monitoring_Tools-Net-SNMP-Configuring_Authentication-2c_community\">Configuring SNMP Version 2c Community on Ubuntu 22.04\/Debian 11<\/h4>\n\n\n\n<p>As stated above, SNMP v2 provides access using a <code><strong>permission directive<\/strong><\/code>, a <strong><code>community string<\/code><\/strong> and the <strong><code>source Address<\/code><\/strong>. The source address can be IP of the monitoring server such as Nagios Server (SNMP server) or Cacti for example. This directive should be set in the format;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><em>directive<\/em> <em>community<\/em> [<em>source<\/em> [<em>OID<\/em>]]<\/code><\/pre>\n\n\n\n<p>Where<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code><strong>directive <\/strong><\/code>can be&nbsp;<code>rocommunity<\/code>&nbsp;(provides read-only access) or&nbsp;<code>rwcommunity<\/code>&nbsp;(provides read-write access)<\/li>\n\n\n\n<li><code><strong>source<\/strong><\/code> can be IP of the monitoring server such as Nagios Server (SNMP server) or Cacti or LibreNMS for example<\/li>\n\n\n\n<li><code><strong>OID<\/strong><\/code> is the optional SNMP tree to provide access to.<\/li>\n<\/ul>\n\n\n\n<p>To configure SNMP v2c, edit the&nbsp;<code>snmpd<\/code>&nbsp;configuration file and configure it to listen on both a localhost and an interface IP. By default, SNMP agent on is set to allow connections originating from the localhost only.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/snmp\/snmpd.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n###########################################################################\n# SECTION: Agent Operating Mode\n#\n#   This section defines how the agent will operate when it\n#   is running.\n...\n#agentaddress  127.0.0.1,[::1]\nagentAddress udp:127.0.0.1:161,udp:192.168.56.124:161\n<\/code><\/pre>\n\n\n\n<p>The above will allow SNMP agent to listen on loopback interface and on an interface IP 192.168.56.124, port 161\/UDP.<\/p>\n\n\n\n<p>Next, configure SNMP agent to allow the monitoring server (<em>LibreNMS server in my case, with IP, 192.168.60.22<\/em>) only to connect using the community string (<code>Ex@mPL3<\/code>).<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n#\nSECTION: Access Control Setup\n#\nThis section defines who is allowed to talk to your running\nsnmp agent.\n...\n# Read-only access to everyone to the systemonly view\n#rocommunity  public default -V systemonly\n#rocommunity6 public default -V systemonly\n<strong>rocommunity Ex@mPL3 192.168.60.22<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Save the changes and exit the configuration file.<\/p>\n\n\n\n<p>Note that for any changes to the configuration file to take effect, force the&nbsp;<code>snmpd<\/code>&nbsp;service to re-read the configuration by running the following command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart snmpd<\/code><\/pre>\n\n\n\n<p>If you can check, SNMP is now listening on two interfaces;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>netstat -nlpu|grep snmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>udp        0      0 192.168.56.124:161      0.0.0.0:*                           4226\/snmpd          \nudp        0      0 127.0.0.1:161           0.0.0.0:*                           4226\/snmpd<\/code><\/pre>\n\n\n\n<p>If firewall is running, allow connection from the monitoring server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow from 192.168.60.22 to any port 161 proto udp comment \"Allow SNMP Scan from Monitoring Server\"<\/code><\/pre>\n\n\n\n<p>For IPTABLES, this is the rule;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -s 192.168.60.22 -p udp --dport 161 -j ACCEPT -m comment --comment \"Allow SNMP Checks\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/iptables\/rules.v4{,.bak}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables-save &gt; \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify SNMP v2c Connection with Community String<\/h4>\n\n\n\n<p>Next, run the command below from the monitoring server to verify access to the host;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snmpwalk -v2c -c Ex@mPL3 192.168.56.124<\/code><\/pre>\n\n\n\n<p>If you received such an output, then all is fine<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nSNMPv2-MIB::sysDescr.0 = STRING: Linux jellyfish 5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 x86_64\nSNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10\nDISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (675) 0:00:06.75\nSNMPv2-MIB::sysContact.0 = STRING: Me <me@example.org>\nSNMPv2-MIB::sysName.0 = STRING: jellyfish\nSNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay\nSNMPv2-MIB::sysServices.0 = INTEGER: 72\nSNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00\nSNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance\nSNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance\nSNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance\nSNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB\nSNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup\nSNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB\nSNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB\nSNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip\nSNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance\nSNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB\nSNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.\nSNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.\nSNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.\nSNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities\nSNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.\nSNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations\nSNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations\nSNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations\nSNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.\nSNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.\nSNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00\nSNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00\nSNMPv2-MIB::sysORUpTime.3 = Timeticks: (0) 0:00:00.00\n...\n<\/code><\/pre>\n\n\n\n<p>If you receive, <strong><code>Timeout: No Response from 192.168.56.124<\/code><\/strong>, then check your agent firewall as well as SNMP access control.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"snmp-v3\"><a href=\"#snmp-v3\">Configure SNMP Version 3 on Ubuntu 22.04\/Debian 11<\/a><\/h3>\n\n\n\n<p>SNMP v3 uses a username, permission, security level, authentication and privacy passphrases to allow access. As a result, you need to create user for authenticating. When created, the user is added to the following configuration files;&nbsp;<code>\/etc\/snmp\/snmpd.conf<\/code>&nbsp;and&nbsp;<code>\/var\/lib\/net-snmp\/snmpd.conf<\/code>.<\/p>\n\n\n\n<p>Similarly, make a copy of the original configuration file just like we did above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/snmp\/snmpd.conf{,.bak}<\/code><\/pre>\n\n\n\n<p>Stop SNMP daemon<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop snmpd<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Create SNMP v3 Authentication User<\/h4>\n\n\n\n<p>Create a read-only authentication user using the&nbsp;<code>net-snmp-create-v3-user<\/code>&nbsp;command. The command syntax is;<\/p>\n\n\n\n<p><code>net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]<\/code><\/p>\n\n\n\n<p><em>On <strong>Debian 11<\/strong>, due to some &#8220;bug&#8221; with the net-snmp-create-v3-user script, you may see such an error as <strong>touch: cannot touch &#8216;\/snmp\/snmpd.conf&#8217;: No such file or directory<\/strong>.<\/em><\/p>\n\n\n\n<p><em>Thus, before you generate the SNMP v3 authentication credentials, run the command below to update the paths;<\/em><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>cp \/usr\/bin\/net-snmp-create-v3-user ~\/<\/em><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><em>sed -ie '\/prefix=\/adatarootdir=${prefix}\\\/share' \/usr\/bin\/net-snmp-create-v3-user<\/em><\/code><\/pre>\n\n\n\n<p>Next, generate the authentication user.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpadmin<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>adding the following line to \/var\/lib\/snmp\/snmpd.conf:\n   createUser snmpadmin SHA \"STrP@SSWRD\" AES \"STr0ngP@SSWRD\"\nadding the following line to \/usr\/share\/\/snmp\/snmpd.conf:\n   rouser snmpadmin<\/code><\/pre>\n\n\n\n<p>Start SNMP daemon and configure inbound Firewall rules to UDP port 161 as we did above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start snmpd<\/code><\/pre>\n\n\n\n<p>Enable SNMP daemon to run on system reboot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable snmpd<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify SNMP v3 Connection<\/h4>\n\n\n\n<p>Test to verify that everything is working as expected. Note that we ran this command from the SNMP monitoring server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin 192.168.56.124<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nSNMPv2-MIB::sysDescr.0 = STRING: Linux jellyfish 5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 x86_64\nSNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10\nDISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3436) 0:00:34.36\nSNMPv2-MIB::sysContact.0 = STRING: Me <me@example.org>\nSNMPv2-MIB::sysName.0 = STRING: jellyfish\nSNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay\nSNMPv2-MIB::sysServices.0 = INTEGER: 72\nSNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00\nSNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance\nSNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance\nSNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance\nSNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB\nSNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup\nSNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB\nSNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB\nSNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip\nSNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance\nSNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB\nSNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.\nSNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.\nSNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.\nSNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities\nSNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.\nSNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations\nSNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations\nSNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations\nSNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.\nSNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.\nSNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00\n...\n<\/code><\/pre>\n\n\n\n<p>Great!! You have successfully setup SNMP v2c and SNMP v3 on an Ubuntu 22.04\/Debian 11 system. You can now configure your server for polling from a remove monitoring server using SNMP strings or with SNMP v3.<\/p>\n\n\n\n<p>That  brings us to the end of our tutorial on how to install and configure SNMP on Ubuntu\/Debian.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other Tutorials<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-librenms-on-rocky-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install LibreNMS on Rocky Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easily-install-and-setup-cacti-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Easily Install and Setup Cacti on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install and configure SNMP on Ubuntu 22.04\/Debian 11. SNMP is an acronym for Simple Network<\/p>\n","protected":false},"author":1,"featured_media":9988,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,347],"tags":[5282,5281,5278,5285,5273,5284,5283],"class_list":["post-13019","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-snmp","tag-debian-11-snmp","tag-install-snmp-debian-11","tag-install-snmp-on-ubuntu-22-04","tag-snmp-v2c-debian","tag-snmp-v2c-ubuntu","tag-snmp-v3-ubuntu","tag-ubuntu-22-04-snmp","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13019"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=13019"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13019\/revisions"}],"predecessor-version":[{"id":20579,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13019\/revisions\/20579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9988"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=13019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=13019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=13019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}