Configuring SNMP v3 on OpenBSD 6.4

Posted in OpenBSD by anaumov on 27.11.2018

Today everyone who cares about its network infrastructure security choice commercial solutions and buys hardware appliances. Usually it’s an easy-to-use “boxes” with some number of network services. Vendors of this appliances provides support. This is one of the reason why many managers like it and choose it. But most important here – usually on those boxes runs OpenBSD. And it is the reason why we, engineers and developers, who are responsible for infrastructure security, love it too 😉
I think, it’s not needed to explain how it’s important to monitor your infrastructure. But it’s also very important to do it in secure way, right? Unfortunately, in its book Absolute OpenBSD Michael Lucas explains about second version of the Simple Network Management Protocol – SNMP v2c – but this is not what we want and should to use today! SNMPv3 – the latest version of SNMP – doesn’t solve all kind of problems, but its usage is more and more desirable today.

Wikipedia says:

As of 2004 the IETF recognizes Simple Network Management Protocol version 3 as defined by RFC 3411–RFC 3418[18] (also known as STD0062) as the current standard version of SNMP. The IETF has designated SNMPv3 a full Internet standard,[19] the highest maturity level for an RFC. It considers earlier versions to be obsolete (designating them variously “Historic” or “Obsolete”).

On modern OpenBSD systems an SNMP server (snmpd) is installed by default. The process of configuration snmpd(8) on OpenBSD is very similar to snmpd used on the GNU systems like openSUSE, Debian or CentOS (warning: two different implementations with the same name!). First, we have to put just three strings to the snmpd config file /etc/snmpd.conf:

# uname -prs
OpenBSD 6.4 amd64
 
# cat /etc/snmpd.conf
listen on 192.168.122.241
seclevel enc
user "snmpv3" authkey "aUthkeySNMP" enckey "eNckeySNMP" enc aes auth hmac-sha1

First line tells the IP address on that snmpd should listen incoming requests. Second line means that SNMP-messages must be encrypted and must have a valid digest for authentication (secLevel – authPriv). Otherwise they will be discarded. Finally, the last line contains authentication values for SNMPv3 like username, keys and type of encryption.
That was the most secure level of SNMPv3 – authPriv. snmpd supports 2 other secLevels of SNMPv3 – authentication without privacy (authNoPriv) and no authentication, no privacy (noAuthNoPriv).

seclevel auth
user "snmp" authkey "s3cr3t00" auth hmac-sha1

seclevel none
user "nosecure"

Yes, it’s possible to configure snmpd in 3 different ways and use these secLevels simultaneously… if it’s really needed.

After that I will recommend to set permissions for our new config file:

# chown root:_snmpd /etc/snmpd.conf
# chmod u=w,g=r,o= /etc/snmpd.conf

This says root is owner, _snmpd is group and root write, _snmpd read, other nothing. Make sense? 😉

It’s also possible to check syntax of config file:

# snmpd -n
configuration ok
 
# echo $?
0

If everything is ok, we can add daemon to autostart (don’t forget it!) and start snmpd now:

# rcctl enable snmpd
# rcctl start snmpd

To be sure that everything is fine, let’s check the status of running daemon with rcctl(8). As usual, we can also use ps(1) to check it:

# rcctl check snmpd
snmpd(ok)
 
# ps aux | grep snmpd
_snmpd    7012  0.0  0.3   920  3492 ??  Is   Fri04PM  0:01.58 snmpd: snmpe (snmpd)
root     12243  0.0  0.2   728  1704 ??  Isp  Fri04PM  0:00.00 /usr/sbin/snmpd
_snmpd   67857  0.0  0.3   660  2760 ??  Isp  Fri04PM  0:00.00 snmpd: traphandler (snmpd)

To be sure pf doesn’t block UPD/161 port – quick network check with nmap:

# nmap -sU -p 161 192.168.122.241
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-26 11:55 CET
Nmap scan report for 192.168.122.241
Host is up (0.00031s latency).
 
PORT    STATE SERVICE
161/udp  open    snmp
MAC Address: 52:54:00:B0:AB:45 (QEMU virtual NIC)
 
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

If port 161 is open you can test your snmp-connections with some simple test like this:

OpenBSD SNMP client?

As we saw, OpenBSD has an built in SNMP server. It works perfectly, that’s great, but how about SNMP client? Well, yes, OpenBSD has as well as an SNMP client – snmpctl. But it seems like it doesn’t provide SNMPv3 support. As we can see in its man page, there are options for up to SNMP v2 version only 😦
Please correct me if I’m wrong.

How about OpenBSD MIBs?

SNMP lets you query a computer for system monitoring info, like memory usage or hard drive capacity. But OpenBSD also provides addition information via its MIBS for CARP, relayd(8) and PF. List of MIBs files could be found in /usr/share/snmp/mibs/:

# ls -la /usr/share/snmp/mibs/
total 184
drwxr-xr-x  2 root  wheel    512 Oct 11 21:19 .
drwxr-xr-x  3 root  wheel    512 Oct 11 21:18 ..
-r--r--r--  1 root  wheel   2331 Oct 11 21:19 OPENBSD-BASE-MIB.txt
-r--r--r--  1 root  wheel   8805 Oct 11 21:19 OPENBSD-CARP-MIB.txt
-r--r--r--  1 root  wheel   3283 Oct 11 21:19 OPENBSD-MEM-MIB.txt
-r--r--r--  1 root  wheel  39486 Oct 11 21:19 OPENBSD-PF-MIB.txt
-r--r--r--  1 root  wheel  18559 Oct 11 21:19 OPENBSD-RELAYD-MIB.txt
-r--r--r--  1 root  wheel   4545 Oct 11 21:19 OPENBSD-SENSORS-MIB.txt
-r--r--r--  1 root  wheel   2547 Oct 11 21:19 OPENBSD-SNMPD-CONF.txt

This list of MIBs can be added to your Net-SNMP installation by simply copying them into the /usr/share/snmp/mibs directory. After that such tools like snmpwalk or snmpget will be able to understand OpenBSD specific OIDs. For example, getting information about pf:

> snmpwalk -u snmpv3 -A aUthkeySNMP -a SHA -X eNckeySNMP -x AES \
-l authPriv 192.168.122.241 -m "/usr/share/snmp/mibs/OPENBSD-PF-MIB.txt" pf

Conclusion

At the end I would like to remind you that SNMPv3 still doesn’t garant to be a 100% secure. SNMP is not simple. In Internet you can find a list of attacks to SNMPv3 and just descriptions of wrong and insecure ways to use it. You should understand how dangerous can be manipulations with this connection and how high a fee for an improperly configured server.
Here are a few explanatory links:

For sure, SNMP is a great deal of experiments and tests for security engineers. I have a lot of fun to study it and playing with it. I hope, it’s same for you. Good luck 😉