2012
11.18

Simple Network Management Protocol (SNMP) is an “Internet-standard protocol for managing devices on IP networks.”

Version 3:
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology.

SNMPv3 primarily added security and remote configuration enhancements to SNMP.

Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used.

SNMPv3 provides important security features:

  • Confidentiality – Encryption of packets to prevent snooping by an unauthorized source.
  • Integrity – Message integrity to ensure that a packet has not been tampered with in transit including an optional packet replay protection mechanism.
  • Authentication – to verify that the message is from a valid source.

Configuration:
In Ubuntu 10.04 I used these settings which were working fine but not exactly secure:

/etc/default/snmpd

# This file controls the activity of snmpd and snmptrapd

# MIB directories.  /usr/share/snmp/mibs is the default, but
# including it here avoids some strange problems.
export MIBDIRS=/usr/share/snmp/mibs

# snmpd control (yes means start daemon).
SNMPDRUN=yes

# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

# snmptrapd control (yes means start daemon).  As of net-snmp version
# 5.0, master agentx support must be enabled in snmpd before snmptrapd
# can be run.  See snmpd.conf(5) for how to do this.
TRAPDRUN=no

# snmptrapd options (use syslog).
TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'

# create symlink on Debian legacy location to official RFC path
SNMPDCOMPAT=yes

/etc/snmp/snmpd.conf

com2sec ro default public
com2sec rw localhost private

group public v1 ro
group public v2c ro
group public usm ro
group private v1 rw
group private v2c rw
group private usm rw

view all    included  .1                               80
view system included  .iso.org.dod.internet.mgmt.mib-2.system

access public "" any noauth exact all none none
access private "" any noauth exact all all all

In Ubuntu 12.04 I couldn’t get things to work in the first place. Not with the default settings and not with the above. Looking at /var/log/syslog made it clear that SNMPD wasn’t able to locate the MIBs.

Nov 17 22:27:59 hades snmpd[1066]: payload OID: prNames
Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: unknown payload OID
Nov 17 22:27:59 hades snmpd[1066]: Unknown payload OID: prNames
Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: Unknown payload OID
Nov 17 22:27:59 hades snmpd[1066]: payload OID: prErrMessage
Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: unknown payload OID
Nov 17 22:27:59 hades snmpd[1066]: Unknown payload OID: prErrMessage
Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: Unknown payload OID
Nov 17 22:27:59 hades snmpd[1066]: trigger OID: prErrorFlag
Nov 17 22:27:59 hades snmpd[1066]: /etc/snmp/snmpd.conf: line 143: Error: unknown monitor OID
...
Nov 17 22:27:59 hades snmpd[1066]: Turning on AgentX master support.
Nov 17 22:27:59 hades snmpd[1066]: net-snmp: 33 error(s) in config file(s)

After some searching I was able to get it running by setting MIBS to UCD-SNMP-MIB in /etc/default/snmpd.

In order to get SNMPv3 running only some minor adjustments were needed. I ended up with the following settings (which I hope are secure :-), see last two references (in Dutch)):

/etc/default/snmpd

# This file controls the activity of snmpd and snmptrapd

# Don't load any MIBs by default.
# You might comment this lines once you have the MIBs downloaded.
export MIBS=UCD-SNMP-MIB

# snmpd control (yes means start daemon).
SNMPDRUN=yes

# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'

# snmptrapd control (yes means start daemon).  As of net-snmp version
# 5.0, master agentx support must be enabled in snmpd before snmptrapd
# can be run.  See snmpd.conf(5) for how to do this.
TRAPDRUN=no

# snmptrapd options (use syslog).
TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'

# create symlink on Debian legacy location to official RFC path
SNMPDCOMPAT=yes

/etc/snmp/snmpd.conf

agentAddress udp:161,udp6:[::1]:161

createUser internalUser  MD5 "mypassword3"
createUser cacti SHA "mypassword4" AES "passphrase4"

view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1

rouser   cacti

iquerySecName   internalUser
rouser          internalUser

defaultMonitors          yes
linkUpDownNotifications  yes

master          agentx

References: