{"id":3757,"date":"2019-07-25T21:15:35","date_gmt":"2019-07-25T18:15:35","guid":{"rendered":"https:\/\/kifarunix.com\/?p=3757"},"modified":"2024-03-12T07:32:06","modified_gmt":"2024-03-12T04:32:06","slug":"install-and-configure-snmp-on-debian-10-buster","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-snmp-on-debian-10-buster\/","title":{"rendered":"Install and Configure SNMP on Debian 10 Buster"},"content":{"rendered":"\n

This guide will take you through how to install and configure SNMP on Debian 10 Buster for monitoring using either SNMP v2c or v3. If you are looking at monitoring your Debian 10 system with monitoring tools like Nagios, Icinga or any other tools for health information, system metrics such as CPU load, Physical Memory usage, number of running processes, service state or any other services that support polling over the SNMP<\/code> protocol, then you need to install SNMP and configure it as follows.<\/p>\n\n\n\n

Installing SNMP on Debian 10 Buster<\/h2>\n\n\n\n

Install SNMP on Debian 10 Buster<\/h3>\n\n\n\n

Run the command below to install SNMP daemon, SNMP client and the SNMP development files.<\/p>\n\n\n\n

apt install snmpd snmp libsnmp-dev<\/code><\/pre>\n\n\n\n
Configuring SNMP on Debian 10 Buster<\/h3>\n\n\n\n
Once the installation is done, proceed to configure SNMP on Debian 10 Buster.<\/p>\n\n\n\n
The default configuration file for SNMP agent is \/etc\/snmp\/snmpd.conf<\/code>. SNMP agent can run with the default configuration settings. However, we are going to make a few changes to enable remote monitoring. As such create a backup of the configuration file as shown below;<\/p>\n\n\n\n
cp \/etc\/snmp\/snmpd.conf \/etc\/snmp\/snmpd.conf.orig<\/code><\/pre>\n\n\n\n
Define SNMP agent (snmpd<\/strong>) Listening Address<\/h4>\n\n\n\n
SNMP agent listens on a loopback interface on UDP port 161 by default. To enable remote monitoring, you need to define a non-loopback interface IP address. The listening interface is defined by agentAddress<\/strong> directive.<\/p>\n\n\n\n
vim \/etc\/snmp\/snmpd.conf<\/code><\/pre>\n\n\n\n
\n###############################################################################\n#\n#  AGENT BEHAVIOUR\n#\n\n#  Listen for connections from the local system only\nagentAddress  udp:127.0.0.1:161,udp:192.168.43.62:161\n<\/code><\/pre>\n\n\n\n
Configuring SNMP v2c Authentication<\/h4>\n\n\n\n
SNMP v2 provides access using a community string and the source IP Address, where the source IP address is the IP address of the monitoring server. The traditional access control for SNMP v2c can be defined using the directive;<\/p>\n\n\n\n
directive<\/em> community<\/em> [source<\/em> [OID<\/em>]]<\/code><\/pre>\n\n\n\n
The directive can be rocommunity<\/code> (provides read-only access to a specific OID) or rwcommunity<\/code>(provides read-write access to a specific OID), OID is the optional SNMP tree to provide access to. Under the Access Control section, place the line, rocommunity S3CUrE 192.168.43.100<\/strong>. You can also enable query from localhost; rocommunity S3CUrE localhost<\/strong>.<\/p>\n\n\n\n
\n...\n rouser   authOnlyUser\n                                                 #  Full write access for encrypted requests\n                                                 #     Remember to activate the 'createUser' lines above\n#rwuser   authPrivUser   priv\n\n#  It's no longer typically necessary to use the full 'com2sec\/group\/access' configuration\n#  r[ow]user and r[ow]community, together with suitable views, should cover most requirements\n\n# Allow read-only Access to full OID tree from the localhost and 192.168.43.100 using the string S3CUrE\nrocommunity S3CUrE localhost\nrocommunity S3CUrE 192.168.43.100\n\n###############################################################################\n\n<\/code><\/pre>\n\n\n\n
For a simple SNMP v2c configuration, that is just it. Restart SNMPd to effect the changes.<\/p>\n\n\n\n
systemctl restart snmpd<\/code><\/pre>\n\n\n\n
Set SNMPd to run on system boot.<\/p>\n\n\n\n
systemctl enable snmpd<\/code><\/pre>\n\n\n\n
Verify that SNMPd is listening on an interface IP defined above.<\/p>\n\n\n\n
netstat -nlpu|grep 161<\/code><\/pre>\n\n\n\n
udp        0      0 192.168.43.62:161       0.0.0.0:*                           26491\/snmpd         \nudp        0      0 127.0.0.1:161           0.0.0.0:*                           26491\/snmpd<\/code><\/pre>\n\n\n\n
If firewall is running, allow connection from the monitoring server.<\/p>\n\n\n\n
ufw allow from 192.168.43.100 to any port 161 proto udp<\/code><\/pre>\n\n\n\n
On the localhost, you can test if your MIBs are working by running the command below;<\/p>\n\n\n\n
snmpwalk -v2c -c S3CUrE localhost | head -5<\/code><\/pre>\n\n\n\n
\niso.3.6.1.2.1.1.1.0 = STRING: \"Linux debian10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64\"\niso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10\niso.3.6.1.2.1.1.3.0 = Timeticks: (10311) 0:01:43.11\niso.3.6.1.2.1.1.4.0 = STRING: \"Me <me@example.org>\"\niso.3.6.1.2.1.1.5.0 = STRING: \"debian10\"\n<\/code><\/pre>\n\n\n\n
You should also be able to query the MIBs from the remote monitoring server. Ensure that UDP port is allowed on a firewall if there is any running on your system.<\/p>\n\n\n\n
Configuring SNMP v3 on Debian 10<\/h3>\n\n\n\n
There are different security models which SNMP v3 can use. However, we are going to use the User-based Security Model in this guide. This approach will involve the use SNMPv3-specific users, withs specific permission, security level, authentication and privacy passphrases to allow access to the OID tree.<\/p>\n\n\n\n
Therefore, you need to create user for authenticating using net-snmp-create-v3-user<\/strong>. When created, the user is added to the configuration files; \/etc\/snmp\/snmpd.conf<\/code>and \/var\/lib\/net-snmp\/snmpd.conf<\/code>.<\/p>\n\n\n\n
Make a copy of the original configuration file just like we did above.<\/p>\n\n\n\n
cp \/etc\/snmp\/snmpd.conf \/etc\/snmp\/snmpd.conf.bak<\/code><\/pre>\n\n\n\n
Create a read-only SNMP v3 authentication user. The command syntax is;<\/p>\n\n\n\n
net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-x privpass][-X DES|AES] [username]<\/code><\/p>\n\n\n\n
Before you can use the net-snmp-create-v3-user<\/strong> command, you need to stop snmpd<\/strong>.<\/p>\n\n\n\n
systemctl stop snmpd<\/code><\/pre>\n\n\n\n
Create the read only user.<\/p>\n\n\n\n
net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpro<\/code><\/pre>\n\n\n\n
adding the following line to \/var\/lib\/snmp\/snmpd.conf:\n   createUser snmpro SHA \"STrP@SSWRD\" AES STr0ngP@SSWRD\nadding the following line to \/usr\/share\/snmp\/snmpd.conf:\n   rouser snmpro<\/code><\/pre>\n\n\n\n
Start SNMP daemon and configure inbound Firewall rules to UDP port 161 if UFW is running just like we did above.<\/p>\n\n\n\n
systemctl start snmpd<\/code><\/pre>\n\n\n\n
Verify SNMP v3<\/h4>\n\n\n\n
To test if MIBs are working properly on the locahost via SNMP v3, runt the command below specifying the user created above as shown below;<\/p>\n\n\n\n
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpro localhost | head -5<\/code><\/pre>\n\n\n\n
\niso.3.6.1.2.1.1.1.0 = STRING: \"Linux debian10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64\"\niso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10\niso.3.6.1.2.1.1.3.0 = Timeticks: (219) 0:00:02.19\niso.3.6.1.2.1.1.4.0 = STRING: \"Me <me@example.org>\"\niso.3.6.1.2.1.1.5.0 = STRING: \"debian10\"\n<\/code><\/pre>\n\n\n\n
Well, there you go, If you need to run the tests from remote server, you need to open port 161\/UDP on your system.<\/p>\n\n\n\n
You can read more about SNMPd configuration on SNMPD man page<\/a>.<\/p>\n\n\n\n
Related Guides;<\/h3>\n\n\n\n
Install and Configure SNMP on Ubuntu 18.04 and CentOS 7<\/a><\/p>\n\n\n\n
Nagios SNMP Monitoring of Linux Hosts on AlienVault USM\/OSSIM<\/a><\/p>\n\n\n\n
How to Configure SNMP version 3 on Debian 9<\/a><\/p>\n\n\n\n
How to Configure SNMP Version 2c on Debian 9<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This guide will take you through how to install and configure SNMP on Debian 10 Buster for monitoring using either SNMP v2c or v3. If<\/p>\n","protected":false},"author":1,"featured_media":9988,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,347],"tags":[1039,276,1050,1049,350,1051],"class_list":["post-3757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-snmp","tag-debian-10-buster","tag-snmp","tag-snmp-monitoring","tag-snmp-v2c","tag-snmp-v3","tag-snmpwalk","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3757"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=3757"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3757\/revisions"}],"predecessor-version":[{"id":21169,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3757\/revisions\/21169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9988"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=3757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=3757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=3757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}