Configuring encryption of SNMP connections

Third-party programs can access data sent over SNMP or replace those data with their own data. To ensure secure communication over SNMP, we recommend to configure encryption of SNMP connections.

Prior to configuration, make sure that the snmpd and snmptrapd services are installed on all servers that have Kaspersky Web Traffic Security installed.

To configure encryption of SNMP connections:

  1. Receive an EngineID, which is necessary to process SNMP traps. To do so, on the Master server, run the command:

    snmpget -v2c -cpublic localhost SNMP-FRAMEWORK-MIB::snmpEngineID.0 2>/dev/null | sed -ne 's/ //g; s/.*:/0x/p'

  2. Configure the snmpd service on each server. To do so:
    1. Stop the snmpd service. To do so, execute the command:

      service snmpd stop

    2. Depending on the operating system, add the line createUser kwts-snmp-user SHA "<password>" AES "<password>" to the following configuration file:
      • Ubuntu or Debian.

        /var/lib/snmpd/snmpd.conf

      • CentOS, SUSE Linux Enterprise Server or Red Hat Enterprise Linux.

        /var/lib/net-snmp/snmpd.conf

      If a configuration file does not exist in the specified directory, create it.

    3. Create the /etc/snmp/snmpd.conf configuration file with the following content:
      • If a Unix socket is used to receive requests over the SNMP protocol:

        master agentx

        AgentXSocket udp:localhost:705,tcp:localhost:705,unix:/var/run/agentx-master.socket

        agentXPerms 770 770 kluser klusers

        agentAddress udp:161,tcp:161

        rouser kwts-snmp-user authnopriv .1.3.6.1

        com2sec notConfigUser default public

        group notConfigGroup v1 notConfigUser

        group notConfigGroup v2c notConfigUser

        view systemview included .1

        access notConfigGroup "" any noauth exact systemview none none

        dontLogTCPWrappersConnects yes

        trapsink localhost

        trap2sink localhost

        # comment the following line if you don't need SNMP traps forwarding over SNMPv3 connection

        trapsess -e <EngineID> -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:162

      • If a TCP or UDP socket is used to receive requests over the SNMP protocol:

        syslocation Server Room

        syscontact Sysadmin (root@localhost)

        rocommunity public 127.0.0.1

        master agentx

        AgentXSocket tcp:127.0.0.1:705

        rocommunity public 0.0.0.0 .1

        trap2sink localhost

        view systemview included .1

        # comment the following line if you don't need SNMP traps forwarding over SNMPv3 connection

        trapsess -e <EngineID> -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:162

    4. Add the following strings to the configuration file /etc/snmp/snmp.conf:

      mibdirs +/opt/kaspersky/kwts-control/share/snmp-mibs/

      mibs all

    5. Start the snmpd service. To do so, execute the command:

      service snmpd start

    6. Check the SNMP connection. To do so, run the following commands:

      snmpwalk -mALL -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:161 .1.3.6.1.4.1.23668

      snmpget -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:161 .1.3.6.1.4.1.23668.2022.2.8.1.0

  3. Configure the snmptrapd service on the server where you want to receive SNMP traps. To do so:
    1. Stop the snmptrapd service. To do so, execute the command:

      service snmptrapd stop

    2. Depending on the operating system, add the line createUser -e <EngineID> kwts-snmp-user SHA "<password>" AES "<password>" to the following configuration file:
      • Ubuntu or Debian.

        /var/lib/snmpd/snmptrapd.conf

      • CentOS, SUSE Linux Enterprise Server or Red Hat Enterprise Linux.

        /var/lib/net-snmp/snmptrapd.conf

      If a configuration file does not exist in the specified directory, create it.

    3. Create the /etc/snmp/snmptrapd.conf configuration file with the following content:

      snmpTrapdAddr udp:<IP-address>:162,tcp:127.0.0.1:162

      authUser log kwts-snmp-user priv

      disableAuthorization no

      As the <IP-address>, specify the IP address that is used by the snmptrapd service to receive network connections.

    4. Start the snmptrapd service. To do so, execute the command:

      service snmptrapd start

    5. Check the SNMP connection with the following command:

      snmptrap -e <EngineID> -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:162 0 .1.3.6.1.4.1.23668.2022.1.411

Encryption of SNMP connections is configured.

Page top