SNMP (Simple Network Management Protocol) is a protocol for managing networks. Each managed entity in the network will run an snmp server (snmpd) which is going to collect datas from the server such as networking, load, cpu ...
SNMPD is the service running SNMP on a managed entity. SNMP comes in 3 versions. Version 1, the one we are going to use here is not secured, therefore we are going to make sure that only localhost is going to be able to access it.
People opening the service to the outside should make sure that trusted hosts can access the service either though the use of iptables or through the use of /etc/hosts.allow.
The only package which is required on the server site is snmpd, the SNMP daemon. To install it type:
$ sudo apt-get install snmpd
snmpd is now installed but we still have to tweak it a little bit to make it work as we want.
The first thing we want to make sure is that snmpd is only going to wait for connections on localhost. To do this, edit file /etc/default/snmpd and make sure those values are set:
SNMPDRUN=yes
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
This setting will make sure that the service will be started and that the service is going to bind to localhost.
If you want your server to listen on all interfaces, remove the 127.0.0.1 bit.
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'
Finally, we are going to configure snmpd in such a way that it will only return datas to trusted host for a specific community. Edit /etc/snmp/snmpd.conf and make sure that com2sec it only set to:
com2sec readonly localhost mycommunity
If you want a remote machine to be able to gather information for the community mycommunity, make sure you replace localhost by mynetwork, where mynetwork can be of the form: 1.1.1.1 or 1.1.0.0/16. Also, mycommunity should be change to something meaningful and not easily guest.
We are going to use the snmpwalk utility to verify that the server is working as wanted. Here we want snmp to reply only to localhost for the community mycommunity. From localhost
$ snmpwalk -Os -c mycommunity -v 1 localhost system
Should return a lot of output and:
$ snmpwalk -Os -c public -v 1 localhost system
Timeout: No Response from localhost
If the second command returns result, it might be because you did not comment the line starting with com2sec.