This post is also available in: French
This article allows to describe how to configure SNMP daemon on GNU/Linux server to apply access restrictions on sub trees.
Notice: This article doesn’t describe how to use SNMP v3 but only v1 or v2c for Net-SNMP v5.7.x. For v3 please use Net-SNMP documentation.
The following picture describes default snmpd daemon configuration for Debian/Ubuntu operating system:
The following access controls indicate that the “systemonly” access group has access to sub tree “SNMP MIB-2” (.220.127.116.11.2.1.1) and “HOST-RESORUCES-MIB” (.18.104.22.168.22.214.171.124).
Then the last parameter describes that the “systemonly” access group is linked to “public” community (look like a password to connect to agent) to get a read-only access from localhost (127.0.0.1).
Build your own snmpd.conf configuration file
When you install a Net-SNMP agent you have to define system parameters:
- Server location
- Main contact
- Server type
This information has to be describing using following arguments:
- sysLocation Sitting on the Dock of the Bay
- sysContact Me <email@example.com>
- sysServices 72 # Application + End-to-End layers
Then you have to define allowed network than can send SNMP request. In your example we will use 192.168.0.1/24 but the SNMP daemon will listen on all available network interfaces on UDP 161 port using the following parameter:
- agentAddress udp:161
All equipment from 192.168.0.1/24 will access to complete SNMP information (all trees) with following directive:
- view all included .1
To conclude we will use “merethis” as SNMP community to have a read-only access from 192.168.0.1/24 network:
- rocommunity merethis 192.168.0.0/24 –V all
The configuration file can be:
In your example we didn’t use access group template. If you wish to define many access groups you can create access controls linked to access groups then linked this access groups to views and access type (read/write access).
A new configuration file can be this one: