Third-party applications could potentially access data sent over SNMP or replace this data with their own data. To ensure secure data transfer over SNMP, it is recommended to configure encryption of SNMP connections.
To configure SNMP connection encryption:
view systemview included .1
snmpget -v2c -c<community name> 127.0.0.1 SNMP-FRAMEWORK-MIB::snmpEngineID.0 2>/dev/null | sed -ne 's/ //g; s/.*:/0x/p'
Specify the community name that is used in your organization. If necessary, create a new community. For data transfer security purposes, it is not recommended to use the default "public" community.
Prior to running the command, make sure that the snmpd service is running.
systemctl stop snmpd
net-snmp-create-v3-user -ro -a SHA -A <password> -x <password> -X AES <username>
# accept KSMG statistics over unix socket
master agentx
agentXSocket unix:/var/
run/agentx-master.socket
agentXPerms 770 770 kluser klusers
# accept incoming SNMP requests over UDP
agentAddress udp:127.0.0.1:161
rouser <username> priv .1.3.6.1
# comment the following line if you don't need to forward SNMP traps over an SNMPv3 connection
trapsess -e <EngineID> -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:<IP address>:162
For <IP address>
, indicate the IP address that will be used by the snmptrapd service to accept network connections. If you want to save SNMP traps locally on the server, enter 127.0.0.1
.
mibdirs +/opt/kaspersky/ksmg/share/snmp-mibs/
mibs all
If the snmp.conf configuration file does not exist in the specified directory, create it.
systemctl start snmpd
snmpwalk -mALL -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:127.0.0.1:161 .1.3.6.1.4.1.23668
snmpget -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:127.0.0.1:161 KSMG-PRODUCTINFO-STATISTICS::applicationName.0
systemctl stop snmptrapd
createUser -e <EngineID> <username> SHA "<password>" AES "<password>"
If the snmptrapd.conf configuration file does not exist in the specified directory, create it.
The user account credentials (<username>
and <password>
) must be the same for the snmpd and snmptrapd services.
snmpTrapdAddr udp:<IP address>:162
authUser log <username> priv
disableAuthorization no
If the snmptrapd.conf configuration file does not exist in the specified directory, create it.
systemctl start snmptrapd
Make sure that the password that was indicated in plain text in the /var/lib/net-snmp/snmptrapd.conf file has been replaced with an obfuscated sequence of characters. To do so, you may need to restart the snmptrapd service several times by using the systemctl restart snmptrapd
command.
systemctl enable snmptrapd
snmptrap -e <EngineID> -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:<IP address>:162 0 KSMG-EVENTS-MIB::restartedBinary
Make sure that the following string appears in the /var/log/messages file:
<date and time> <hostname> snmptrapd[7503]: <date and time> localhost [UDP: [127.0.0.1]:26325->[<IP address>]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: KSMG-EVENTS-MIB::restartedBinary
For <IP address>
, indicate the IP address that will be used by the snmptrapd service to accept network connections. If you want to save SNMP traps locally on the server, enter 127.0.0.1
.
Encryption of SNMP connections is now configured.
Page top