A Comprehensive Guide to SNMP on Rocky Linux 8/9
Effective network monitoring is the cornerstone of a stable and secure IT infrastructure. For system administrators, the ability to query devices for performance metrics, system health, and operational status is non-negotiable. The Simple Network Management Protocol (SNMP) is a powerful, industry-standard protocol designed for precisely this purpose.
This guide provides a detailed walkthrough on how to install, configure, and secure the SNMP agent on Rocky Linux 8 and Rocky Linux 9, empowering you to integrate your servers into a centralized monitoring solution.
What is SNMP?
SNMP allows a central Network Management Station (NMS), or a monitoring server, to request information from an SNMP agent running on a network device like a server, router, or switch. The agent gathers local data—such as CPU load, memory usage, network traffic, and disk space—and presents it in a standardized format.
There are three primary versions of SNMP, with significant differences in security:
- SNMPv1/v2c: These versions rely on a simple plaintext “community string” that acts like a password. They are easy to set up but are inherently insecure, as the community string is transmitted in clear text.
- SNMPv3: This is the modern, secure standard. It provides robust security features, including authentication to verify the sender’s identity and encryption to protect the data in transit.
Whenever possible, you should use SNMPv3 for its superior security features. We will cover the configuration for both SNMPv2c (for legacy systems) and SNMPv3.
Step 1: Install the SNMP Packages
First, you need to install the SNMP agent (daemon) and related utilities. The agent is called net-snmp, and the utilities package, net-snmp-utils, provides helpful command-line tools like snmpwalk for testing.
Open your terminal and run the following command with sudo privileges:
sudo dnf install net-snmp net-snmp-utils -y
This command will download and install all the necessary packages on your Rocky Linux system.
Step 2: Configure the SNMP Agent
The main configuration file for the SNMP agent is located at /etc/snmp/snmpd.conf. Before making changes, it’s always a good practice to create a backup of the original file.
sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
Now, open the configuration file with your preferred text editor, such as nano or vim:
sudo nano /etc/snmp/snmpd.conf
You can clear the default contents of the file to start fresh. We will provide two separate configurations below: the simple (but insecure) SNMPv2c and the recommended, secure SNMPv3.
Option A: Configuring SNMPv2c (Community String Method)
This method is suitable for isolated, trusted networks or for compatibility with older monitoring systems.
For read-only access, which is sufficient for most monitoring tasks, add the following lines to your /etc/snmp/snmpd.conf file. Replace YourCommunityString with a strong, unique secret.
# --- SNMPv2c Read-Only Configuration ---
# 1. Define the community string and the source IP allowed to use it.
# Format: com2sec [securityName] [source] [community]
# 'default' allows any source IP. For better security, replace 'default' with the IP of your monitoring server (e.g., 192.168.1.100).
com2sec readOnlyUser default YourCommunityString
# 2. Create a group and map the security name to it.
# Format: group [groupName] [securityModel] [securityName]
group readOnlyGroup v2c readOnlyUser
# 3. Define a "view" to control which parts of the MIB tree are accessible.
# '.1' means the entire MIB tree.
view all included .1
# 4. Grant the group access to the defined view.
# Format: access [groupName] [context] [securityModel] [securityLevel] [prefix] [read] [write] [notify]
access readOnlyGroup "" any noauth exact all none none
Key Points:
com2sec: Maps a community string from a specific source to a security name. Using ‘default’ for the source is convenient but less secure. For production, specify the IP address of your NMS.group: Maps the security name into an access group.view: Defines what information the group can see.allis a common name for a view that includes the entire information tree (.1).access: Ties the group to the view, granting it specific permissions (in this case, read-only access to theallview).
Option B: Configuring SNMPv3 (The Secure Method)
SNMPv3 uses a username, an authentication password, and an encryption (privacy) password, offering a much higher level of security. The easiest way to create a user is with a helper utility.
Run the following command to create a new SNMPv3 user. The system will prompt you to enter and confirm the passwords.
sudo net-snmp-create-v3-user -ro -A YourAuthPassword -X YourPrivPassword -a SHA -x AES snmp_user
-ro: Creates a read-only user.-A YourAuthPassword: Sets the authentication password.-X YourPrivPassword: Sets the privacy (encryption) password.-a SHA: Specifies SHA as the authentication protocol.-x AES: Specifies AES as the encryption protocol.snmp_user: This is the username you are creating.
This command automatically adds the necessary configuration lines to your /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf files. You do not need to manually edit the configuration for this user.
Step 3: Configure Firewall Rules
For the monitoring server to communicate with the SNMP agent, you must allow traffic on UDP port 161. Use firewall-cmd to add a permanent rule and reload the firewall.
sudo firewall-cmd --add-port=161/udp --permanent
sudo firewall-cmd --reload
This ensures that SNMP requests are not blocked by the system’s firewall.
Step 4: Start and Enable the SNMP Service
With the configuration in place, you can now start the SNMP agent and enable it to launch automatically on system boot.
sudo systemctl start snmpd
sudo systemctl enable snmpd
To verify that the service is running correctly, check its status:
sudo systemctl status snmpd
You should see an “active (running)” status in the output.
Step 5: Test Your SNMP Configuration
The final step is to test that your configuration is working correctly. You can do this from the server itself using the snmpwalk utility.
Testing SNMPv2c
Use the community string you configured earlier:
snmpwalk -v2c -c YourCommunityString localhost
Testing SNMPv3
Use the username and passwords you created:
snmpwalk -v3 -u snmp_user -l authPriv -a SHA -A 'YourAuthPassword' -x AES -X 'YourPrivPassword' localhost
-v3: Specifies SNMP version 3.-u snmp_user: The username.-l authPriv: The security level (authentication and privacy/encryption).-a SHA: The authentication protocol.-A 'YourAuthPassword': The authentication password.-x AES: The privacy protocol.-X 'YourPrivPassword': The privacy password.
In both cases, a successful test will result in a long list of system information (MIBs and their values) being printed to your screen. If you get a timeout error, double-check your configuration, firewall rules, and service status.
Security Best Practices
- Always prefer SNMPv3 over v2c. The authentication and encryption it provides are essential for protecting sensitive system data.
- If you must use SNMPv2c, use a long, complex, and unique community string. Avoid common strings like “public” or “private”.
- Restrict SNMP access via the firewall. Only allow connections from the specific IP addresses of your trusted monitoring servers.
- Implement read-only access unless read-write functionality is absolutely required. This minimizes the risk of unauthorized configuration changes.
Source: https://kifarunix.com/install-and-configure-snmp-on-rocky-linux/
