Configuring encryption of SNMP connections

May 23, 2024

ID 222536

Third-party applications could potentially access data sent over SNMP or replace this data with their own data. To ensure secure data transfer over SNMP, it is recommended to configure encryption of SNMP connections.

To configure SNMP connection encryption:

  1. Add the following line to the /etc/snmp/snmpd.conf file:

    view systemview included .1

  2. Obtain an EngineID, which is needed to process SNMP traps. To do so, run the following command on each server in the cluster:

    snmpget -v2c -c<community name> 127.0.0.1 SNMP-FRAMEWORK-MIB::snmpEngineID.0 2>/dev/null | sed -ne 's/ //g; s/.*:/0x/p'

    Specify the community name that is used in your organization. If necessary, create a new community. For data transfer security purposes, it is not recommended to use the default "public" community.

    Prior to running the command, make sure that the snmpd service is running.

  3. Configure the snmpd service on each server in the cluster. To do so:
    1. Stop the snmpd service. To do so, run the following command:

      systemctl stop snmpd

    2. Create a new user. To do so, run the following command:

      net-snmp-create-v3-user -ro -a SHA -A <password> -x <password> -X AES <username>

    3. Add the following strings to the /etc/snmp/snmpd.conf configuration file:

      # accept KSMG statistics over unix socket

      master agentx

      agentXSocket unix:/var/run/agentx-master.socket

      agentXPerms 770 770 kluser klusers

      # accept incoming SNMP requests over UDP

      agentAddress udp:127.0.0.1:161

      rouser <username> priv .1.3.6.1

      # comment the following line if you don't need to forward SNMP traps over an SNMPv3 connection

      trapsess -e <EngineID> -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:<IP address>:162

      For <IP address>, indicate the IP address that will be used by the snmptrapd service to accept network connections. If you want to save SNMP traps locally on the server, enter 127.0.0.1.

    4. Add the following strings to the configuration file /etc/snmp/snmp.conf:

      mibdirs +/opt/kaspersky/ksmg/share/snmp-mibs/

      mibs all

      If the snmp.conf configuration file does not exist in the specified directory, create it.

    5. Start the snmpd service. To do so, run the following command:

      systemctl start snmpd

    6. Check the SNMP connection. To do so, execute the following commands:

      snmpwalk -mALL -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:127.0.0.1:161 .1.3.6.1.4.1.23668

      snmpget -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:127.0.0.1:161 KSMG-PRODUCTINFO-STATISTICS::applicationName.0

  4. Configure the snmptrapd service on the server where you want to receive SNMP traps. To do so:
    1. Stop the snmptrapd service with the following command:

      systemctl stop snmptrapd

    2. Add the following line to the /var/lib/net-snmp/snmptrapd.conf file:

      createUser -e <EngineID> <username> SHA "<password>" AES "<password>"

      If the snmptrapd.conf configuration file does not exist in the specified directory, create it.

      The user account credentials (<username> and <password>) must be the same for the snmpd and snmptrapd services.

    3. Add the following strings to the /etc/snmp/snmptrapd.conf configuration file:

      snmpTrapdAddr udp:<IP address>:162

      authUser log <username> priv

      disableAuthorization no

      If the snmptrapd.conf configuration file does not exist in the specified directory, create it.

    4. Start the snmptrapd service. To do so, run the following command:

      systemctl start snmptrapd

      Make sure that the password that was indicated in plain text in the /var/lib/net-snmp/snmptrapd.conf file has been replaced with an obfuscated sequence of characters. To do so, you may need to restart the snmptrapd service several times by using the systemctl restart snmptrapd command.

    5. Add the snmptrapd service to autostart. To do so, run the following command:

      systemctl enable snmptrapd

    6. Check the SNMP connection by running the following command:

      snmptrap -e <EngineID> -v3 -l authPriv -u <username> -a SHA -A <password> -x AES -X <password> udp:<IP address>:162 0 KSMG-EVENTS-MIB::restartedBinary

      Make sure that the following string appears in the /var/log/messages file:

      <date and time> <hostname> snmptrapd[7503]: <date and time> localhost [UDP: [127.0.0.1]:26325->[<IP address>]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: KSMG-EVENTS-MIB::restartedBinary

    For <IP address>, indicate the IP address that will be used by the snmptrapd service to accept network connections. If you want to save SNMP traps locally on the server, enter 127.0.0.1.

Encryption of SNMP connections is now configured.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.