Wednesday, September 6, 2017

Monitor a remote computer securely using SNMP (OpenBSD)

The Simple Network Management Protocol (SNMP) lets you query a computer for system monitoring info, like uptime and hard drive capacity

OpenBSD has an SNMP server built in (snmpd), as well as an SNMP client (snmpctl)

OpenBSD includes SNMP info ("mibs") for CARP, relayd, and pf as well as the standard ones

The OpenBSD client is limited to version 2 of SNMP, so we'll use net-snmp, which supports version 3 and therefore authentication and encryption. There's a package for that.

Server (

# cat /etc/snmpd.conf

listen on
seclevel enc
user "snmp" authkey "s3cr3t00" enckey "s3cr3t00" enc aes auth hmac-sha1

# chown root:_snmpd /etc/snmpd.conf `# root is owner, _snmpd is group`
# chmod u=w,g=r,o= /etc/snmpd.conf `# root write, _snmpd read, other nothing`
# rcctl enable snmpd
# rcctl start snmpd

Need to check your config?

# snmpd -n

Need to debug snmpd?

# snmpd -dvv


# pkg_add net-snmp
# cat /etc/snmp/snmp.conf

defSecurityName snmp
defSecurityLevel authPriv
defPassphrase "s3cr3t00"
defAuthType SHA
defPrivType AES

# chown root:wheel `# root is owner, wheel is group`
# chmod u=w,g=r,o= /etc/snmp/snmp.conf `# root write, wheel read, other nothing`
# snmpwalk | less `# shows much info from remote system`

1 comment:

Anonymous said...

snmp3 is insecure anyway. snmp never ever got proper attention in the industry because theres too much money in shitty snmp. the choice to stick with v2 of snmp was a deliberate one. if youre using snmp you should use ipsec or ssl or ssh as a wrapper. snmp3 doesnt add much security at all.