Securing SNMP

The Simple Network Management Protocol (SNMP) has been around since 1988. While initially intended as an interim protocol as the internet was first rolled out, it quickly became a de facto standard for monitoring—and in some cases, managing—network equipment. Today, SNMP is used across most networks, small and large, to monitor the very equipment you probably passed through to get to this article.

There are three primary flavors of SNMP: SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 is by far the most popular flavor, despite being considered obsolete due to a complete lack of discernible security. This situation is likely because of SNMPv1's simplicity, and that it’s often used inside of the network and not exposed to the outside world.

The problem, however, is that SNMPv1 and SNMPv2c are unencrypted: Even the community string used to "authenticate" is sent in the clear. An attacker can simply listen on the wire and grab the community as it passes by. This fact gives the attacker access to valuable information on your devices, and even the ability to make changes if write access is enabled.

But wait, you may be thinking, what about SNMPv3? And you’re right, SNMPv3 can be more secure by using authentication and encryption. However, not all devices support SNMPv3, and thus interoperability becomes an issue. At some point, you have to drop down to SNMPv2c or SNMPv1, and then you’re back to the "in the clear" issue.

Despite the security shortcomings, SNMP can still be used without compromising the security of your server or network. Much of this security relies on limiting the use of SNMP to read-only and using tools such as iptables to limit where incoming SNMP requests can source from.

To keep things simple, I’ll only look at SNMPv1 and SNMPv2c in this article. SNMPv3 requires additional setup and, in my opinion, it isn’t worth the hassle.

Get started by installing and configuring SNMP. First things first: Install the net-snmp package. This package can be installed via whatever package manager you use. On the Red Hat-based systems I use, that tool is yum:

$ yum install net-snmp

Next, you need to configure the SNMP daemon, snmpd. The configuration file is located in /etc/snmp/snmpd.conf. Open this file in your favorite editor (vim FTW) and modify it accordingly. For example, the following configuration enables SNMP, sets up a few management information bases (MIBs), and enables drive monitoring:

################################################################################
# AGENT BEHAVIOUR

agentaddress udp:0.0.0.0:161

################################################################################
# ACCESS CONTROL

# ------------------------------------------------------------------------------
# Traditional Access Control

# ------------------------------------------------------------------------------
# VACM Configuration
#       sec.name       source        community
com2sec notConfigUser default mysecretcommunity


#       groupName      securityModel securityName
group   notConfigGroup v1            notConfigUser
group   notConfigGroup v2c           notConfigUser

#       name          incl/excl  subtree             mask(optional)
view    systemview included .1.3.6.1.2.1.1
view    systemview included .1.3.6.1.2.1.2.2
view    systemview included .1.3.6.1.2.1.25
view    systemview included .1.3.6.1.4.1.2021
view    systemview included .1.3.6.1.4.1.8072.1.3.2.4.1.2

#       group          context sec.model sec.level prefix read       write notif
access  notConfigGroup ""      any       noauth    exact  systemview none  none

# ------------------------------------------------------------------------------
# Typed-View Configuration

################################################################################
# SYSTEM INFORMATION

# ------------------------------------------------------------------------------
# System Group
sysLocation The Internet
sysContact Internet Janitor
sysServices 72
sysName myserver.example.com

################################################################################
# EXTENDING AGENT FUNCTIONALITY


###############################################################################
## Logging
##

## We do not want annoying "Connection from UDP: " messages in syslog.
## If the following option is set to 'no', snmpd will print each incoming
## connection, which can be useful for debugging.

dontLogTCPWrappersConnects no

################################################################################
# OTHER CONFIGURATION

disk /         10%
disk /var      10%
disk /tmp      10%
disk /home     10%

Before you start snmpd, make sure you configure iptables to allow SNMP traffic from trusted sources. SNMP uses UDP port 161, so all you need is a simple rule to allow traffic to pass. Be sure to add an outbound rule as well, because UDP traffic is stateless:

$ iptables -A INPUT -s <ip addr> -p udp -m udp --dport 161 -j ACCEPT
$ iptables -A OUTPUT -p udp -m udp --sport 161 -j ACCEPT

You can set this up in firewalld as well.

Now that SNMP is set up, point an SNMP client at your server and pull data via the name of the MIB (if you have the MIB definitions installed) or via the Object Identifier (OID):

$ snmpget -c mysecretcommunity myserver.example.com hrSystemUptime.0
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (6638000) 18:26:20.00

$ snmpget -c mysecretcommunity myserver.example.com .1.3.6.1.2.1.25.1.1.0
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (6638000) 18:26:20.00

And that’s about it. It’s called the Simple Network Management Protocol for a reason, after all.

One additional side note about SNMP. While SNMP is pretty solid, the security shortcomings are significant. I recommend looking at other solutions such as agent-based systems instead. Tools like Nagios and Prometheus have more secure mechanisms for monitoring systems.

[Need more on networking? Download the Linux networking cheat sheet.]