Set up SNMP version 3 with user authentication and data encryption to secure network monitoring communications. This tutorial covers Net-SNMP daemon configuration, security protocols, and monitoring tool integration.
Prerequisites
- Root access to target servers
- Basic networking knowledge
- Monitoring system (Zabbix, Nagios, or Grafana)
What this solves
SNMP v3 provides secure network monitoring with authentication and encryption, replacing the plaintext community strings used in older SNMP versions. This tutorial shows you how to configure Net-SNMP daemon with user-based security, set up authentication and privacy protocols, and integrate monitoring tools for secure infrastructure oversight.
Step-by-step configuration
Install Net-SNMP packages
Install the SNMP daemon and utilities needed for secure monitoring.
sudo apt update
sudo apt install -y snmpd snmp snmp-mibs-downloaderStop SNMP daemon for configuration
Stop the service to safely modify configuration files and create users.
sudo systemctl stop snmpdCreate SNMP v3 user with authentication
Create a secure user with SHA authentication and AES encryption. This command sets up the user credentials in the SNMP database.
sudo net-snmp-create-v3-user -ro -A SHA -X AES -a "MyAuthPass123!" -x "MyPrivPass456!" snmpuserSecurity note: Use strong passwords for authentication (-a) and privacy (-x) passphrases. Minimum 8 characters recommended.
Configure SNMP daemon settings
Set up the main SNMP daemon configuration with security settings and access controls.
# SNMP v3 Configuration
Remove default community access
rocommunity public default
System information
sysLocation "Server Room A"
sysContact "admin@example.com"
sysServices 72
SNMP v3 user access - read-only access to system tree
rouser snmpuser
Security settings
Only allow SNMP v3
com2sec notConfigUser default public
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
access notConfigGroup "" any noauth exact none none none
Process and disk monitoring
proc sshd
proc httpd 5 10
disk / 10%
disk /var 10%
disk /tmp 10%
Load monitoring
load 12 14 14
Network interface monitoring
interface lo
interface eth0Configure firewall access
Open SNMP port 161 for monitoring access. Restrict access to specific monitoring server IPs in production.
sudo ufw allow from 203.0.113.10 to any port 161
sudo ufw reloadSet file permissions
Secure the SNMP configuration files to prevent unauthorized access to authentication credentials.
sudo chmod 600 /etc/snmp/snmpd.conf
sudo chown root:root /etc/snmp/snmpd.conf
sudo chmod 700 /var/lib/snmp
sudo chmod 600 /var/lib/snmp/snmpd.confStart and enable SNMP daemon
Start the SNMP service and enable it to start automatically on boot.
sudo systemctl enable snmpd
sudo systemctl start snmpd
sudo systemctl status snmpdConfigure additional SNMP v3 users
Add more users with different access levels. Create a read-write user for configuration changes.
sudo systemctl stop snmpd
sudo net-snmp-create-v3-user -A SHA -X AES -a "AdminAuth789!" -x "AdminPriv012!" adminuser
sudo systemctl start snmpdUpdate SNMP configuration for new user
Add the new administrative user to the configuration with read-write access.
# Add after existing rouser line
rwuser adminusersudo systemctl restart snmpdConfigure monitoring tool integration
Set up your monitoring system to use SNMP v3. Here's an example for Zabbix configuration.
# SNMP v3 Connection Parameters
SNMP version: SNMPv3
Context name: (leave empty)
Security name: snmpuser
Security level: authPriv
Authentication protocol: SHA
Authentication passphrase: MyAuthPass123!
Privacy protocol: AES
Privacy passphrase: MyPrivPass456!
Port: 161Security protocol options
SNMP v3 supports multiple authentication and privacy protocols. Choose based on your security requirements:
| Protocol Type | Options | Security Level | Use Case |
|---|---|---|---|
| Authentication | MD5, SHA, SHA-224, SHA-256, SHA-384, SHA-512 | SHA-256+ recommended | User verification |
| Privacy (Encryption) | DES, AES, AES-192, AES-256 | AES-256 recommended | Data encryption |
| Security Level | noAuthNoPriv, authNoPriv, authPriv | authPriv required | Complete protection |
Verify your setup
# Test SNMP v3 authentication locally
snmpget -v3 -u snmpuser -l authPriv -a SHA -A "MyAuthPass123!" -x AES -X "MyPrivPass456!" localhost 1.3.6.1.2.1.1.1.0
Test from remote monitoring server
snmpwalk -v3 -u snmpuser -l authPriv -a SHA -A "MyAuthPass123!" -x AES -X "MyPrivPass456!" 203.0.113.100 1.3.6.1.2.1.1
Check daemon status and logs
sudo systemctl status snmpd
sudo journalctl -u snmpd -fSuccessful output should show system information without authentication errors. For network monitoring integration, verify metrics collection in your dashboard.
Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Authentication failure | Wrong passphrase | Recreate user with net-snmp-create-v3-user |
| Permission denied | Wrong file permissions | sudo chmod 600 /etc/snmp/snmpd.conf |
| Connection timeout | Firewall blocking port 161 | Check firewall rules and allow UDP 161 |
| No response from OIDs | User lacks read access | Add rouser username to snmpd.conf |
| Encryption not working | Privacy protocol mismatch | Verify AES protocol in both client and server |
| Service won't start | Configuration syntax error | sudo snmpd -f -Lo -c /etc/snmp/snmpd.conf |
Security reminder: Never use SNMP v1 or v2c in production. These versions transmit community strings in plaintext. Always use SNMP v3 with authPriv security level.
Advanced configuration
Configure SNMP v3 with custom OID access
Restrict users to specific OID trees for granular security control.
# Restrict user to system information only
authuser read snmpuser
view systemview included 1.3.6.1.2.1.1
view systemview included 1.3.6.1.2.1.25.1
access snmpuser "" usm authPriv exact systemview none noneEnable SNMP traps with authentication
Configure authenticated SNMP traps for proactive monitoring alerts.
# SNMP v3 trap configuration
trapsess -v 3 -u trapuser -l authPriv -a SHA -A "TrapAuth345!" -x AES -X "TrapPriv678!" 203.0.113.10:162
Enable specific traps
linkUpDownNotifications yes
defaultMonitors yesNext steps
- Set up SNMP trap monitoring and alerting for proactive network management
- Configure SNMP monitoring with Grafana dashboards for visualization
- Deploy distributed SNMP monitoring with Zabbix for enterprise scale
- Optimize SNMP v3 bulk operations for large networks
- Configure certificate-based SNMP v3 authentication for enhanced security
Running this in production?
Need this managed at scale? Setting up SNMP v3 once is straightforward. Keeping it patched, monitored, backed up and performant across environments is the harder part. See how we run infrastructure like this for European teams with compliance requirements.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# SNMP v3 Configuration Script
# Configures secure SNMP v3 monitoring with authentication and encryption
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Default values
MONITORING_IP=""
AUTH_PASS="MyAuthPass123!"
PRIV_PASS="MyPrivPass456!"
ADMIN_AUTH_PASS="AdminAuth789!"
ADMIN_PRIV_PASS="AdminPriv012!"
SNMP_USER="snmpuser"
ADMIN_USER="adminuser"
# Usage function
usage() {
echo "Usage: $0 -i MONITORING_IP [OPTIONS]"
echo "Options:"
echo " -i IP Monitoring server IP address (required)"
echo " -u USER SNMP username (default: snmpuser)"
echo " -h Show this help"
exit 1
}
# Parse arguments
while getopts "i:u:h" opt; do
case $opt in
i) MONITORING_IP="$OPTARG" ;;
u) SNMP_USER="$OPTARG" ;;
h) usage ;;
*) usage ;;
esac
done
if [[ -z "$MONITORING_IP" ]]; then
echo -e "${RED}Error: Monitoring IP address is required${NC}"
usage
fi
# Validate IP address format
if [[ ! $MONITORING_IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
echo -e "${RED}Error: Invalid IP address format${NC}"
exit 1
fi
# Cleanup function for rollback
cleanup() {
echo -e "${YELLOW}Error occurred. Cleaning up...${NC}"
systemctl start snmpd 2>/dev/null || true
}
trap cleanup ERR
# Check if running as root
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}Error: This script must be run as root${NC}"
exit 1
fi
echo -e "${GREEN}Starting SNMP v3 configuration...${NC}"
# Detect distribution and set package manager
echo "[1/10] Detecting distribution..."
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update"
PKG_INSTALL="apt install -y"
FIREWALL_CMD="ufw"
SNMP_PACKAGES="snmpd snmp snmp-mibs-downloader"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
FIREWALL_CMD="firewall-cmd"
SNMP_PACKAGES="net-snmp net-snmp-utils net-snmp-devel"
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
FIREWALL_CMD="firewall-cmd"
SNMP_PACKAGES="net-snmp net-snmp-utils net-snmp-devel"
;;
*)
echo -e "${RED}Error: Unsupported distribution: $ID${NC}"
exit 1
;;
esac
echo -e "${GREEN}Detected: $PRETTY_NAME${NC}"
else
echo -e "${RED}Error: Cannot detect distribution${NC}"
exit 1
fi
# Update package repositories
echo "[2/10] Updating package repositories..."
$PKG_UPDATE >/dev/null 2>&1
# Install SNMP packages
echo "[3/10] Installing SNMP packages..."
$PKG_INSTALL $SNMP_PACKAGES >/dev/null 2>&1
# Stop SNMP daemon for configuration
echo "[4/10] Stopping SNMP daemon..."
systemctl stop snmpd
# Create SNMP v3 user with authentication
echo "[5/10] Creating SNMP v3 user..."
net-snmp-create-v3-user -ro -A SHA -X AES -a "$AUTH_PASS" -x "$PRIV_PASS" "$SNMP_USER" >/dev/null 2>&1
# Configure SNMP daemon settings
echo "[6/10] Configuring SNMP daemon..."
cat > /etc/snmp/snmpd.conf << EOF
# SNMP v3 Configuration
# System information
sysLocation "Server Room A"
sysContact "admin@example.com"
sysServices 72
# SNMP v3 user access - read-only access to system tree
rouser $SNMP_USER
# Security settings - Only allow SNMP v3
# Disable community strings
#rocommunity public default
# Process and disk monitoring
proc sshd
proc httpd 5 10
disk / 10%
disk /var 10%
disk /tmp 10%
# Load monitoring
load 12 14 14
# Network interface monitoring
interface lo
interface eth0
EOF
# Configure firewall access
echo "[7/10] Configuring firewall..."
case "$PKG_MGR" in
apt)
if command -v ufw >/dev/null 2>&1; then
ufw --force enable >/dev/null 2>&1
ufw allow from "$MONITORING_IP" to any port 161 >/dev/null 2>&1
ufw reload >/dev/null 2>&1
fi
;;
dnf|yum)
if systemctl is-active firewalld >/dev/null 2>&1; then
firewall-cmd --add-rich-rule="rule family=\"ipv4\" source address=\"$MONITORING_IP\" port protocol=\"udp\" port=\"161\" accept" --permanent >/dev/null 2>&1
firewall-cmd --reload >/dev/null 2>&1
fi
;;
esac
# Set file permissions
echo "[8/10] Setting secure file permissions..."
chmod 600 /etc/snmp/snmpd.conf
chown root:root /etc/snmp/snmpd.conf
chmod 755 /var/lib/snmp
if [[ -f /var/lib/snmp/snmpd.conf ]]; then
chmod 600 /var/lib/snmp/snmpd.conf
chown root:root /var/lib/snmp/snmpd.conf
fi
# Start and enable SNMP daemon
echo "[9/10] Starting SNMP daemon..."
systemctl enable snmpd >/dev/null 2>&1
systemctl start snmpd
# Create additional admin user
echo "[10/10] Creating administrative user..."
systemctl stop snmpd
net-snmp-create-v3-user -A SHA -X AES -a "$ADMIN_AUTH_PASS" -x "$ADMIN_PRIV_PASS" "$ADMIN_USER" >/dev/null 2>&1
# Add admin user to configuration
echo "rwuser $ADMIN_USER" >> /etc/snmp/snmpd.conf
systemctl start snmpd
# Verify installation
echo -e "${YELLOW}Verifying configuration...${NC}"
sleep 2
if systemctl is-active snmpd >/dev/null 2>&1; then
echo -e "${GREEN}✓ SNMP daemon is running${NC}"
else
echo -e "${RED}✗ SNMP daemon failed to start${NC}"
exit 1
fi
if ss -ulnp | grep -q ":161 "; then
echo -e "${GREEN}✓ SNMP listening on port 161${NC}"
else
echo -e "${RED}✗ SNMP not listening on port 161${NC}"
exit 1
fi
echo -e "${GREEN}SNMP v3 configuration completed successfully!${NC}"
echo ""
echo -e "${YELLOW}Configuration Summary:${NC}"
echo "SNMP Version: v3"
echo "Read-only user: $SNMP_USER"
echo "Read-write user: $ADMIN_USER"
echo "Monitoring IP allowed: $MONITORING_IP"
echo "Authentication: SHA"
echo "Privacy: AES"
echo ""
echo -e "${YELLOW}Monitoring Tool Configuration:${NC}"
echo "SNMP version: SNMPv3"
echo "Security name: $SNMP_USER"
echo "Security level: authPriv"
echo "Authentication protocol: SHA"
echo "Authentication passphrase: $AUTH_PASS"
echo "Privacy protocol: AES"
echo "Privacy passphrase: $PRIV_PASS"
echo "Port: 161"Review the script before running. Execute with: bash install.sh