Home Linux Configure SNMP on Linux Servers Behind NAT Gateways

Configure SNMP on Linux Servers Behind NAT Gateways

by Lakindu Jayasena
8.8K views 15 mins read
Configure SNMP Linux

SNMP protocol is one of the most common protocols used for network management. Usually, it is used to exchange management information between network-connected devices such as routers, switches, servers, printers, and uninterruptible power supplies (UPSs). SNMP is part of the TCP/IP suite which uses UDP port 161/162 port numbers to communicate between managers and agents.

Why do we need SNMP Monitoring Tool?

System administrators generally manage a large number of network-connected devices and it is very hard to get clear visibility of devices’ health and performance by login into each device separately. The SNMP monitoring tools help administrators in the following ways.

  • Automatically discover, monitor, and manage network devices.
  • Monitor the performance statistics at the device itself and interface level.
  • Visualize and keep historic data for complete visibility and granularity into the performance of network devices.
  • Set up threshold limits and trigger alerts in case of anomalies.
  • Helps IT admins get a complete picture of the entire network.

Components of SNMP

  • SNMP Manager – SNMP manager (aka Network Management Station (NMS)) is the central system used to monitor the network and it is responsible for communicating with the SNMP-agent enabled network devices. The manager queries the agents, gets responses, sets variables in them, and acknowledges events from them.
  • SNMP Agent – SNMP agent is an application process that responds to SNMP queries to provide status and statistics about a particular network node. The agent associated with SNMP enabled devices locally and collect, store, and transmit monitoring data to the SNMP manager.
  • SNMP MIB – SNMP MIB (Management Information Base) is a structure that defines the format of information exchange in an SNMP system. Every SNMP agent maintains MIB describing the parameters of the device it manages. SNMP managers store collected data in a MIB as a commonly shared database between the agent and the manager. The managed objects in a MIB are called object identifiers (object IDs or OIDs).
  • SNMP OID – Object Identifiers (OIDs) are identifiable by strings of numbers separated by dots. MIBs organize OIDs hierarchically, which can be represented in a tree structure that has individual variable identifiers for each OID. 

SNMP Versions

SNMP Version 1 (SNMPv1)

SNMPv1 is the initial version of the SNMP protocol. The security of this protocol is based on communities, which are nothing more than passwords. A plain text string (community string) that allows an SNMP-based application that knows the string to gain access to the device information. Typically there are three communities (read-only, read-write & trap) in SNMPv1.

SNMP Version 2 (SNMPv2)

SNMPv2 is a revised version with enhanced protocol packet types, transport mappings, and MIB structure elements and is technically called SNMPv2c. This version also uses the same SNMPv1 security mechanism (community-based).

SNMP Version 3 (SNMPv3)

SNMPv3 made with greater step to securing the protocol suite by implementing user-based security. This security feature allows you to set authentication based on the user requirements. There are 3 levels of authentication methods as follows:

  • NoAuthNoPriv: The user account should have No Authentication and No privacy when they send/receive messages.
  • AuthNoPriv: This requires the user to Authenticate, but will not Encrypt Sent/Received Messages.
  • AuthPriv: Authentication is Required and Sent/Received Messages are Encrypted (the most secure level).

Version 3 of this protocol is the most secure because it added security and encryption, but bit more complex when set up and configurations.

SNMP Community String

The SNMP Community String is like a password that allows access to SNMP-managed devices and is sent along with SNMP GET requests. In most cases, the default community string is public. There are 3 types of community strings.

TypePurpose
Read-only community stringQuery only read-only information (Default: public)
Read-write community stringQuery data as well as edit the device configuration (Default: private)
SNMP trap community stringReceive SNMP traps from the device

Let’s see how to configure the SNMP on typical Linux servers located in normal network and servers behind the NAT gateways.

Install & Configure SNMP Version 2c

Install SNMP on Debian-based Distributions

Enter the following command as root to install SNMP:

apt-get update
apt-get install snmp snmpd libsnmp-dev

Since SNMP doesn’t ship with a full set of management information bases (MIBs), you have to install it manually.

apt-get install snmp-mibs-downloader
download-mibs

Configuring SNMP on Debian-based Distributions

Loading of MIBs is disabled by default. If you added the MIBs you can reenable loading them by commenting out the “mibs :” line from /etc/snmp/snmp.conf file.

Enable SNMP MIB Loading

By default in SNMP default configuration, allows only connections originating from the local computer. We need to comment out the current line, and uncomment the line underneath to allow all connections.

Edit /etc/snmp/snmpd.conf as follows:

# Listen for connections from the local system only
#agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161

# A read only community 'MyComString' and the source network where the management server locate.
rocommunity MyComString 172.17.1.0/16

# You can add the physical location of your server located and a contact email address if required. These may be helpful for distinguishing machines if you are monitoring a large number servers.

sysLocation AWS_DC
sysContact [email protected]

Allowing SNMP ports in Firewall (If Firewall Enabled)

Include your SNMP manager’s IP (NMS IP) address as a from.

ufw allow from 192.168.1.3 to any port 161 proto udp
ufw allow from 192.168.1.3 to any port 162 proto udp

Install SNMP on RedHat-based Distributions

yum update
yum -y install net-snmp net-snmp-utils

Configuring SNMP on RedHat-based Distributions

Set the community string and allow access from the NMS server.

echo -e "# SNMP version 2c community\nrocommunity RHELComStr 3.85.38.156" >> /etc/snmp/snmpd.conf

In the RedHat based distributions default SNMP configuration is allow SNMP traffic from any interface. If required, allow SNMP traffic only from specific interface or loopback interface, you have to edit the snmpd start up script /lib/systemd/system/snmpd.service file “ExecStart” line as follows.

[Unit]
Description=Simple Network Management Protocol (SNMP) Daemon.
After=syslog.target network.target

[Service]
Type=notify
Environment=OPTIONS="-LS0-6d"
EnvironmentFile=-/etc/sysconfig/snmpd
ExecStart=/usr/sbin/snmpd $OPTIONS -f udp:127.0.0.1:161 udp:172.31.91.197:161
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Allowing SNMP ports in Firewall (If Firewall Enabled)

Execute the following commands to allow necessary ports:

firewall-cmd --zone=public --add-port=161/udp --permanent
firewall-cmd --zone=public --add-port=162/udp --permanent
firewall-cmd --reload

Configure SNMP Version 3

SNMP v3 needs additional attributes like a username, permission, security level, authentication, and privacy passphrases to allow access. Therefore, you need to create a user for authentication. Once the user is created it automatically added to the configuration files /etc/snmp/snmpd.conf.

Create SNMP v3 Authentication User

Create a read-only authentication user using the net-snmp-create-v3-user command.

#You must stop snmpd in order to use following command.
systemctl stop snmpd.service

# Command Syntax
net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

# Actual command
net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpadmin
SNMPv3 User Creation

Create SNMP v3 Authentication User

Create a read-only authentication user using the net-snmp-create-v3-user command.

#You must stop snmpd in order to use following command.
systemctl stop snmpd.service

# Command Syntax
net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

# Actual command
net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpadmin
SNMPv3 User Creation RHEL

After you are done with your modifications, save the file, exit and restart the snmpd service.

systemctl restart snmpd

# Configure the snmpd service to start on system startup
systemctl enable snmpd

Test the SNMP Configuration

Note: You may have to change your Linux host’s firewall rules to permit SNMP (UDP 161/162) packet flow between your NMS and Linux host.

Test your snmpd configuration by invoking a snmpwalk on the SNMP-Agent instance IP: 

snmpwalk -v2c -c MyComString 192.168.100.106

You should see verbose output like that shown below.

Verify SNMPv2c Query

Verify SNMP v3 Connection

#From localhost
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin localhost | head

#From Remote Host IP
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin 192.168.100.106 | head
Verify SNMPv3 Query

Test your snmpd configuration by invoking a snmpwalk on the SNMP-Agent instance IP: 

snmpwalk -v2c -c RHELComStr 3.86.240.68

You should see verbose output like that shown below.

Verify SNMPv2c Query RHEL

Verify SNMP v3 Connection

#From Remote Host
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin 3.86.240.68 | head
Verify SNMPv3 Query RHEL

Great!!! You should now have successfully set up SNMP v2c or SNMP v3 on Linux servers. You can now configure your monitoring server for polling from Linux servers which provide you with rich statistics and performance monitoring. You can refer to my previous post “LibreNMS Monitoring” to monitor your all SNMP-enabled Linux servers.

Access SNMP Enabled Devices Behind NAT Gateways

Sometimes you need to monitor SNMP-enabled devices that are not reachable directly from your monitoring server. Normally this happens if SNMP agents are located in a network with a private network behind a NAT device or a firewall. Therefore, you need the proxy function (SNMPD Proxy) that will use the reachable SNMPD to proxy requests to the unreachable SNMPD.

In my case, I have an AWS private network with some production servers, and a network management station (LibreNMS) is having internet-faced public IP with restrictions to the AWS network. So my management system locates on-premises and cannot communicate directly with these devices since all production servers are located inside a private network behind NAT gateways. That is when I found out about the SNMP proxy. I can use it for accessing devices behind a firewall or NAT.

SNMP Proxy Setup on AWS

Let’s assume we want to poll “Production Servers” via “SNMP Proxy”. Here is an example configuration you have to configure inside “SNMP Proxy“:

agentAddress udp:161,udp6:[::1]:161

#SNMP Proxy Configuration
com2sec -Cn ProdServer1 notConfigUser 3.85.38.156 ProdServer1-CS-Proxy

group   MyROGroup       v2c           notConfigUser
view    all          included      .1
access  MyROGroup       ProdServer1        v2c     noauth exact  all  none  none

proxy -Cn ProdServer1 -v 2c -c ProdServer-CS 172.31.28.252 .1.3
SNMP Proxy Configuration

All Production servers Configuration:

agentAddress udp:161,udp6:[::1]:161
rocommunity ProdServer-CS 172.31.94.196/32

Verify the SNMP query working from SNMP Proxy –> ProdServer1

Check SNMP from SNMP-Proxy to ProdServer1

You can now poll community “ProdServer-CS” on “ProdServer1” via community “ProdServer1-CS-Proxy” on host “SNMP Proxy”. Please note that requests on “ProdServers” will be coming from “SNMP Proxy”, not your poller (NMS).

snmpwalk -v 2c -c ProdServer1-CS-Proxy 3.92.62.21
Verify SNMP Proxy Configuration from NMS

Useful Linux OIDs for CPU, Memory, and Disk Statistics

#CPU Statistics OIDs
#===================

#Load
1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1
5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2
15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3

#CPU
percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
raw user cpu time: .1.3.6.1.4.1.2021.11.50.0
percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0
raw system cpu time: .1.3.6.1.4.1.2021.11.52.0
percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0
raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

#Memory Statistics OIDs
#======================

Total Swap Size: .1.3.6.1.4.1.2021.4.3.0
Available Swap Space: .1.3.6.1.4.1.2021.4.4.0
Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0
Total RAM used: .1.3.6.1.4.1.2021.4.6.0
Total RAM Free: .1.3.6.1.4.1.2021.4.11.0
Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0
Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0
Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0

#Disk Statistics OIDs
#====================

The snmpd.conf needs to be edited. Add the following (assuming a machine with a single ‘/' partition):

disk / 100000 
(or)
includeAllDisks 10% for all partitions and disks

#The OIDs are as follows

Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1
Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1
Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1
Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1
Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1
Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

System Uptime: .1.3.6.1.2.1.1.3.0

#Network Interface Statistics OIDs
#==================================

List NIC names: .1.3.6.1.2.1.2.2.1.2
Get Bytes IN: .1.3.6.1.2.1.2.2.1.10
Get Bytes IN for NIC 4: .1.3.6.1.2.1.2.2.1.10.4
Get Bytes OUT: .1.3.6.1.2.1.2.2.1.16
Get Bytes OUT for NIC 4: .1.3.6.1.2.1.2.2.1.16.4

Related Articles

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.