How to Make SNMP Agent Accept Connections From Other Hosts

Last updated: July 1, 2024

Reviewed by: David Martinez
Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

1. Overview

Simple Network Management Protocol (SNMP) is a crucial protocol network administrators use for managing and monitoring network devices.

In this tutorial, we aim to provide a comprehensive understanding of how to configure an SNMP agent on a Linux system to accept connections from other hosts. Moreover, we’ll cover the installation, basic configuration, advanced settings, and security considerations, along with practical examples and command outputs.

2. Introduction to SNMP

As we might already know, SNMP operates in the application layer of the Internet protocol suite and uses UDP for transport. In essence, it consists of a manager and an agent. Precisely, the manager issues requests and receives responses from the agent, which resides on the device being managed. Accordingly, SNMP is widely used for collecting information and configuring network devices such as servers, routers, switches, and other networked devices.

Let’s have a detailed look at SNMP components:

  • Managed devices: these are the network nodes that contain an SNMP agent and reside on a managed network
  • Agent: it’s a software module that resides in a managed device that maintains information about the device and reports these to the SNMP manager
  • Network Management Station (NMS): the manager that communicates with the SNMP agent to collect and manage information

Before configuring SNMP, we should install it first on our Linux system. The installation process may vary slightly depending on the Linux distribution we are using. Here, we’ll demonstrate the installation process on Debian-based systems (such as Ubuntu) and Red Hat-based systems (such as CentOS).

Starting with Debian-based systems, first, we need to update our package list to ensure we have the latest information on the available packages:

$ sudo apt update

In the above snippet, we used the sudo command to grant us superuser privileges to enable us to update our package list using apt. Afterward, we’ll install the SNMP agent (snmpd) and the SNMP utilities:

$ sudo apt install snmp snmpd

On the other hand, if we opt to use Red Hat-based systems, we’ll have to use a different set of commands to accomplish the same result:

$ sudo yum update
$ sudo yum install net-snmp net-snmp-utils

Here, in the first line, we updated our package list to ensure we have the latest information on the available packages. Then, we successfully installed the SNMP agent and utilities.

3. Basic SNMP Configurations

Once we’re done with SNMP installation, the next step is to configure it. In addition, the primary configuration file for SNMP is snmpd.conf. Highlighting its importance, this file controls the behavior of the SNMP daemon.

Our first step will be to open the snmpd.conf file using our preferred text editor, nano, in this case:

$ sudo nano /etc/snmp/snmpd.conf

In this example, we’ll grant access to our local host:

syslocation "Data Center West - Floor 3"
agentAddress  udp:127.0.0.1:161
rocommunity "readonly_access123!"

Let’s illustrate the values in the snippet above:

  • syslocation: defines the physical location of the device (here, “Data Center West – Floor 3“)
  • agentAddress: this line restricts SNMP access to the local host by only defining the address (127.0.0.1– loopback) and port (161 – standard SNMP port) for listening on UDP improving security by preventing remote access
  • rocommunity: defines a read-only community string (“readonly_access123!“) for retrieving information from the SNMP agent

After modifying the configuration file, we’ll have to restart the SNMP service to apply the changes:

$ sudo systemctl restart snmpd
Here, we used the systemctl services and the keyword restart then snmpd to successfully apply the changes.

4. Configuring SNMP to Accept Remote Connections

In the previous section, we configured SNMP on our local host. Now, we’ll understand how to configure SNMP to accept remote connections. In addition to the basic configuration, specific settings are required to allow remote hosts to connect to our SNMP agent. This involves configuring the SNMP agent to accept connections from specified networks or IP addresses. First, let’s comment on the local host configuration and add a line to listen on all interfaces:

#agentAddress  udp:127.0.0.1:161
agentAddress udp:161,udp6:[::1]:161
Next, let’s view our updated configuration:
$ sudo nano /etc/snmp/snmpd.conf
agentAddress udp:161,udp6:[::1]:161
com2sec readonly 192.168.1.0/24 public
group MyROGroup v2c readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none

To allow connections from a specific network, we can use the com2sec directive. Specifically, this line tells SNMP to accept connections from any host in the 192.168.1.0/24 network using the community string public. Moreover, we map ‘readonly‘ community to the group ‘MyROGroup‘. Next, we define a view ‘all‘ that includes everything. Finally, grant ‘MyROGroup‘ read-only access to ‘all‘ view.

One more very important thing is to modify the firewall settings:

$ sudo ufw allow from 192.168.1.0/24 to any port 161
$ sudo ufw enable

In this example, we ensure that our firewall is configured to allow SNMP traffic. Using ufw (Uncomplicated Firewall) on Debian-based systems.

5. Testing SNMP Configuration

After configuring SNMP to accept remote connections, it’s important to test the setup to ensure it works as expected.

If SNMP utilities aren’t already installed on the remote host, we need to install them:

$ sudo apt install snmp

Then, we use the snmpwalk command to query the SNMP agent.

$ snmpwalk -v 2c -c public 192.168.1.10
SNMPv2-MIB::sysDescr.0 = STRING: Linux myserver 4.15.0-101-generic #102-Ubuntu SMP Fri Feb 7 15:07:41 UTC 2020 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.8072.3.2.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (123456) 0:20:34.56
SNMPv2-MIB::sysContact.0 = STRING: Root <root@myserver> (configure /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysName.0 = STRING: myserver
SNMPv2-MIB::sysLocation.0 = STRING: Server Room

The output indicates that the remote host (192.168.1.10) has SNMP configured and is responding to SNMP requests using SNMP version 2c and the community string public.

Let’s break down the important fields from the above snippet:

  • snmpwalk: retrieve information from a remote SNMP agent using SNMP GETBULK requests
  • SNMPv2-MIB::sysDescr.0: variable contains a description of the operating system running on the remote host
  • SNMPv2-MIB::sysObjectID.0: variable contains the Object Identifier (OID) that uniquely identifies the vendor of the SNMP agent
  • SNMPv2-MIB::sysName.0: variable contains the hostname of the SNMP agent

In other environments, we might need to replace 192.168.1.10 with the IP address of the SNMP agent.

6. Advanced SNMP Configuration

Beyond basic configuration, SNMP can be fine-tuned for better control and security. As seen in the previous example, we restricted access using access control.

Particularly, in the snmpd.conf file, we used the access directive to control which SNMP objects can be accessed and how:

# Define a view that includes everything
view all included .1 80
# Define an access control rule
access MyROGroup "" any noauth exact all none none

Moreover, SNMPv3 provides enhanced security features such as authentication and encryption. To configure SNMPv3, we add a user and configure the security settings:

createUser authOnlyUser MD5 "authPassword"
createUser authPrivUser MD5 "authPassword" DES "privPassword"

Then, we configure access for the user:

rouser authOnlyUser auth
rouser authPrivUser priv
$ sudo systemctl restart snmpd
$ snmpwalk -v 3 -u authPrivUser -l authPriv -a MD5 -A authPassword -x DES -X privPassword 192.168.1.10

In this snippet within the snmpd.conf file, we configured read-only access for authOnlyUser and read-only access for authPrivUser with authentication and privacy. Furthermore, we restarted the SNMP service to apply the changes. Finally, we utilized the snmpwalk command to test the configuration.

7. Troubleshooting Common Issues

Despite careful configuration, we may encounter issues with SNMP. Let’s understand how to tackle a scenario where SNMP services aren’t restarting.

If the SNMP service fails to start, we can check the configuration file for syntax errors. In particular, the SNMP daemon logs errors to /var/log/syslog:

$ sudo tail -f /var/log/syslog

By using the tail command, we can look for errors related to snmpd and correct any issues in the snmpd.conf file.

Another scenario that might arise is that snmpwalk fails to retrieve information from the SNMP agent. Hence, we need to look for affecting factors:

  • the SNMP service is running on the agent
  • the firewall rules allow SNMP traffic
  • the community string or SNMPv3 user credentials are correct

Finally, if we receive “access denied” errors, we need to check the access control settings in the snmpd.conf file. In addition, we ought to ensure that the IP address of the querying host is allowed and that the correct community string or SNMPv3 user credentials are used.

8. Conclusion

In this tutorial, configuring an SNMP agent to accept connections from other hosts in Linux involves installing the necessary packages, modifying the configuration file, and ensuring the appropriate security measures are in place.

We understood SNMP concepts, and configuration for local host and for remote connections, tested SNMP configuration, and practiced basic troubleshooting.

By following the steps outlined in this article, we can set up SNMP to monitor and manage our network devices effectively.