Enabling SNMPv3 on a Raspberry Pi

1 Comment / server / By / 2021-12-07
snmpv3 rpi

I know the title says SNMPv3 on Raspberry Pi, but this should also work on any Linux distro.

I have been lazy for the past couple of weeks to get my servers added to my LibreNMS. Yesterday, my PiVPN broke, so I was forced to fix it. So instead of fixing my PiVPN, I installed WireGuard.

Why use SNMPv3 instead of SNMP v2c? Because it is more secure than v2c. I am not security guy, but what I know is SNMP v3 was created to address any security concerns about v2c.

Install the necessary software to get this started

sudo apt install -y snmpd snmp libsnmp-dev

Stop the SNMP daemon

sudo systemctl stop snmpd

Create the SNMPv3 user

Replace the following

  • AuthPassword with your own auth password
  • EncryptionPassword with your own encryption password
  • AuthAlgorithm with your own auth algorithm
  • CrytoAlgorithm with your own auth algorithm
  • AuthUserName with your own auth user name
note_rectangle

If any of your password contains the exclamation point (!), the system would not accept this. To get around this, wrap your password with a single quotation marks (‘)

sudo net-snmp-config --create-snmpv3-user -ro -A AuthPassword -X EncryptionPassword -a AuthAlgorithm -x CrytoAlgorithm AuthUserName

If everything is correct, you should get something similar to this; otherwise, you will get an error.

adding the following line to /var/lib/snmp/snmpd.conf:
   createUser AuthUserName SHA "AuthPassword" AES EncryptionPassword
adding the following line to /usr/share/snmp/snmpd.conf:
   rouser AuthUserName

Edit the file /etc/snmp/snmpd.conf and change the following :

  • sysLocation
  • sysContact
sysLocation    Home
sysContact     NetworkShinobi

Allow SNMP on a specific interface to accept the incoming request. If you want to allow SNMP on all interfaces, commented it out this line agentAddress udp:127.0.0.1:161. Also, uncomment the agentAddress udp:161,udp6:[::1]:161. In my case, I just enabled the only eth0 by entering eth0 IP address as shown below.

#agentAddress  udp:127.0.0.1:161
agentAddress  udp:10.0.9.11:161 # 10.0.9.11 is my raspberry pi eth0
#agentAddress udp:161,udp6:[::1]:161

Disable v2c by commenting out the following lines

#rocommunity public  default    -V systemonly
#rocommunity6 public  default    -V systemonly

Start SNMP daemon again

sudo systemctl start snmpd

This is pretty much it. In regards to getting SNMPv3 up and running. You can test the make sure it is working by using snmpwalk

# SNMPv3
snmpwalk -v3 -a SHA -A AuthPassword -X EncryptionPassword -l authNoPriv -u AuthUserName 10.0.9.11

Make sure that SNMP v1 and v2c are not working

snmpwalk -v 2c -c public 10.0.9.11
snmpwalk -v 1 -c public 10.0.9.11

If the snmpwalk failed and got an error message as shown below.

Error in packet.
Reason: authorizationError (access denied to that object)

You may need to add the following line to the bottom of the /etc/snmp/snmpd.conf.

rouser <snmp-user> priv .1

Cheers!

Subscribe
Notify of
guest

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Brian
Brian
2 years ago

Works fine, Thanks a lot Karlo

1
Reply
1
0
Would love your thoughts, please comment.x
()
x