Introduction
In this lab, you will learn how to implement secure network monitoring on a Linux system using Simple Network Management Protocol version 3 (SNMPv3). You will focus on configuring the SNMP agent (snmpd) to enforce strong authentication and encryption, ensuring that management data is protected in transit and moving beyond the insecurities of older SNMP versions.
The process begins with installing the necessary SNMP agent and client tools on your system. You will then create a dedicated SNMPv3 user with secure credentials directly within the configuration file. Finally, you will use the snmpwalk command-line tool to perform secure queries against your configured agent, verifying your setup and exploring how to retrieve specific system information using Object Identifiers (OIDs).
Install SNMP Agent and Client Tools
In this step, you will install the core components required for network monitoring using the Simple Network Management Protocol (SNMP). We will install both the SNMP agent, which runs on the device to be monitored, and the client tools, which are used to query the agent.
First, it's a standard best practice to update your system's package list. This ensures you are getting the latest and most secure versions of the software available in the repositories.
Execute the following command to update the package index on your system:
sudo apt update
You will see output showing the package lists being fetched from the Ubuntu repositories.
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
...
Fetched 1,587 kB in 2s (924 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Now that your package list is updated, you can install the SNMP agent (daemon) and the client utilities. The agent is provided by the snmpd package, and the client tools (like snmpwalk, snmpget) are in the snmp package.
Run the command below to install both packages. The -y flag automatically confirms the installation, so you won't be prompted.
sudo apt install snmpd snmp -y
The installation process will download and configure the necessary files. Once it's complete, the snmpd service, which is the agent daemon, should be started automatically.
To confirm that the SNMP agent is running correctly, you can check the status of the snmpd service using systemctl.
sudo systemctl status snmpd
The output should indicate that the service is active (running). This confirms that the SNMP agent is ready to receive requests.
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-10-30 08:30:00 UTC; 5s ago
Main PID: 1234 (snmpd)
Tasks: 1 (limit: 4595)
Memory: 9.8M
CPU: 35ms
CGroup: /system.slice/snmpd.service
└─1234 /usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f
With the agent running and the client tools installed, your environment is now prepared for SNMP configuration and communication.
Create a Secure SNMPv3 User in snmpd.conf
In this step, you will configure the SNMP agent (snmpd) to use SNMPv3, which provides essential security features. Unlike older versions, SNMPv3 supports authentication (to verify the sender's identity) and privacy (to encrypt the data). You will achieve this by creating a new user directly in the agent's configuration file, /etc/snmp/snmpd.conf.
Before making any changes, it's a critical best practice to create a backup of the original configuration file. This allows you to easily restore it if something goes wrong.
Execute the following command to copy the configuration file:
sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
Now, you will edit the main configuration file /etc/snmp/snmpd.conf to add a new SNMPv3 user. We will use the nano text editor for this task.
Run this command to open the file with sudo permissions:
sudo nano /etc/snmp/snmpd.conf
Scroll to the very end of the file and add the following lines. These lines define a new user named labexuser with strong authentication (SHA) and privacy (AES) protocols.
createUser: This directive creates the SNMPv3 user.labexuser: The username for your SNMPv3 user.SHA: The authentication protocol (more secure than MD5).AuthPassLabEx: The authentication passphrase (must be at least 8 characters).AES: The privacy (encryption) protocol (more secure than DES).PrivPassLabEx: The privacy passphrase (must be at least 8 characters).
rwuser: This directive grants the user read-write access to the entire OID tree when using theprivsecurity level (authentication and privacy).
Copy and paste the following configuration block at the end of the file:
## --- LabEx SNMPv3 User Configuration ---
## Create a secure SNMPv3 user for monitoring
createUser labexuser SHA "AuthPassLabEx" AES "PrivPassLabEx"
## Grant the new user read-write access with privacy
rwuser labexuser priv
## --- End of Configuration ---
After adding the text, save the file and exit nano by pressing Ctrl+O, then Enter to confirm the filename, and finally Ctrl+X to exit.
You have now successfully configured a secure user for SNMPv3 communication. In the next step, you will restart the service to apply these changes.
Restart and Verify the snmpd Service
In this step, you will apply the new user configuration you added in the previous step. Whenever you modify the configuration file of a running service like snmpd, the changes are not applied automatically. You must restart the service for it to re-read its configuration file and load the new settings.
First, use the systemctl command to restart the snmpd service. This will stop the current process and start a new one with the updated configuration that includes your labexuser.
sudo systemctl restart snmpd
This command typically does not produce any output if it executes successfully.
Next, it is crucial to verify that the service restarted without any issues. If there were any syntax errors in your /etc/snmp/snmpd.conf file, the service might fail to start. You can check its current status to confirm it's running correctly.
sudo systemctl status snmpd
You should see output confirming that the service is active (running). Pay attention to the timestamp, which should show that the service was started very recently.
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-10-30 08:35:00 UTC; 3s ago
Main PID: 5678 (snmpd)
Tasks: 1 (limit: 4595)
Memory: 10.1M
CPU: 40ms
CGroup: /system.slice/snmpd.service
└─5678 /usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f
Seeing the active (running) status confirms that your configuration changes were valid and the SNMP agent is now running with the new labexuser ready for secure communication.
Perform Secure Queries with SNMPv3 Tools
In this step, you will use SNMP client tools to perform secure queries against the SNMP agent running on your local machine. You will use the labexuser credentials you configured in snmpd.conf to test the secure SNMPv3 communication. This is the moment to see your secure configuration in action.
SNMP commands for SNMPv3 require several specific flags to handle authentication and privacy. Here is a breakdown of the parameters you will use:
-v 3: Specifies that you are using SNMP version 3.-l authPriv: Sets the security level toauthPriv, which means the communication requires both authentication and privacy (encryption). This is the highest security level.-u labexuser: Specifies the username, which is thelabexuseryou created.-a SHA: Defines the authentication protocol as SHA. This must match the protocol you set insnmpd.conf.-A "AuthPassLabEx": Provides the authentication passphrase.-x AES: Defines the privacy (encryption) protocol as AES. This must also match your configuration.-X "PrivPassLabEx": Provides the privacy passphrase.localhost: The target host where the SNMP agent is running. In this case, it's your own machine.
First, let's test the connection by walking the entire system tree. The snmpwalk command traverses OID trees and returns all objects within a branch.
Understanding OID Structure: Object Identifiers (OIDs) use a hierarchical numbering system. The OID 1.3.6.1.2.1.1 represents the "system" group in the standard SNMP MIB-II:
1.3.6.1= internet1.3.6.1.2= mgmt (management)1.3.6.1.2.1= mib-2 (standard MIB)1.3.6.1.2.1.1= system group (contains basic system information)
Execute the following command to walk the system MIB tree:
snmpwalk -v 3 -l authPriv -u labexuser -a SHA -A "AuthPassLabEx" -x AES -X "PrivPassLabEx" localhost 1.3.6.1.2.1.1
If the command is successful, you will see multiple system-related OIDs and their values. This confirms that your SNMP manager successfully authenticated with the agent (snmpd) and the query was performed over a secure, encrypted channel.
SNMPv2-MIB::sysDescr.0 = STRING: Linux labex-vm 5.15.0-XX-generic #XX-Ubuntu SMP ...
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-TC::linux
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (123456) 0:20:34.56
SNMPv2-MIB::sysContact.0 = STRING: Me <me@example.org>
SNMPv2-MIB::sysName.0 = STRING: labex-vm
SNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay
...
A successful response proves that your entire SNMPv3 setup is working correctly. If you had used incorrect credentials or protocols, the command would have failed with an authentication error.
Query Specific OIDs using snmpget
In this step, you will learn to retrieve specific pieces of system information using the snmpget command. While snmpwalk traverses entire OID trees, snmpget is designed to query specific Object Identifiers (OIDs) for precise information retrieval.
Now that you have a working and secure SNMPv3 setup, you can query specific system information. An OID uniquely points to a piece of managed information within the device's Management Information Base (MIB).
OID Hierarchy Explained: The SNMP OID tree follows the international standard ISO/IEC object identifier hierarchy:
1 (iso)
└── 3 (org)
└── 6 (dod)
└── 1 (internet)
└── 2 (mgmt)
└── 1 (mib-2)
└── 1 (system)
├── 1.0 (sysDescr)
├── 3.0 (sysUpTime)
├── 4.0 (sysContact)
├── 5.0 (sysName)
└── 6.0 (sysLocation)
This explains why system information starts with 1.3.6.1.2.1.1 - it's the standardized path to the system group in MIB-II.
Let's query a specific and commonly used OID: the system description. This OID retrieves a basic text description of the managed device.
Understanding Specific OIDs: Within the system group (1.3.6.1.2.1.1), each piece of information has a specific sub-identifier:
1.3.6.1.2.1.1.1.0= sysDescr.0 (system description)1.3.6.1.2.1.1.3.0= sysUpTime.0 (system uptime)1.3.6.1.2.1.1.4.0= sysContact.0 (system contact)1.3.6.1.2.1.1.5.0= sysName.0 (system name)1.3.6.1.2.1.1.6.0= sysLocation.0 (system location)
The .0 at the end indicates this is a scalar value (single instance), not a table entry.
Execute the following command to query the system description:
snmpget -v 3 -l authPriv -u labexuser -a SHA -A "AuthPassLabEx" -x AES -X "PrivPassLabEx" localhost 1.3.6.1.2.1.1.1.0
The output will show the system description, confirming that your SNMPv3 authentication and privacy are working correctly:
iso.3.6.1.2.1.1.1.0 = STRING: "Linux iZrj9ixg5sv0oem6yeu6aqZ 5.15.0-56-generic ..."
Next, let's query the system uptime using the numeric OID 1.3.6.1.2.1.1.3.0 (which corresponds to sysUpTime.0). This OID reports the time since the network management portion of the system was last re-initialized:
snmpget -v 3 -l authPriv -u labexuser -a SHA -A "AuthPassLabEx" -x AES -X "PrivPassLabEx" localhost 1.3.6.1.2.1.1.3.0
The output will show the uptime in a "Timeticks" format, which represents hundredths of a second, along with a human-readable format:
iso.3.6.1.2.1.1.3.0 = Timeticks: (48642) 0:08:06.42
Finally, you can query multiple OIDs in a single command by listing them at the end. Let's retrieve both the system description and contact information together using their numeric OIDs.
Why Use Numeric OIDs? In some environments, symbolic names like sysDescr.0 may not be recognized because:
- MIB files are not loaded or installed
- The SNMP client configuration doesn't include the necessary MIB definitions
- Using numeric OIDs ensures compatibility across different systems
Execute this command to query multiple OIDs simultaneously:
snmpget -v 3 -l authPriv -u labexuser -a SHA -A "AuthPassLabEx" -x AES -X "PrivPassLabEx" localhost 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.4.0
This will return both values in a single response:
iso.3.6.1.2.1.1.1.0 = STRING: "Linux iZrj9ixg5sv0oem6yeu6aqZ 5.15.0-56-generic ..."
iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>"
By successfully querying these specific OIDs, you have demonstrated the core capability of SNMP for secure network monitoring. You can now retrieve precise operational data from your devices in a secure, authenticated, and encrypted manner.
Summary
In this lab, you learned how to implement secure network monitoring on a Linux system using SNMPv3. You started by installing the core components, including the SNMP agent (snmpd) and the client tools (snmp), after updating the system's package repository. The primary focus was on security, which you configured by creating a new SNMPv3 user in the snmpd.conf file, complete with strong authentication and privacy (encryption) protocols to protect data in transit.
After setting up the secure user, you restarted the snmpd service to apply the new configuration and verified that it was running correctly. You then used SNMP client tools to perform secure queries against the agent, authenticating with the credentials of the SNMPv3 user you created. You practiced using snmpwalk to traverse entire MIB tree branches and snmpget to retrieve specific Object Identifiers (OIDs). This demonstrated how to securely monitor system information such as system description, uptime, and contact details using both comprehensive tree walks and precise individual queries.
