SNMP (Simple Network Management Protocol) remains a widely used protocol for monitoring network devices, servers, and applications in enterprise environments. While SNMPv1 and SNMPv2c rely on unencrypted community strings, SNMPv3 introduces authentication and encryption, making it suitable for security-conscious deployments. This tutorial covers installing and configuring net-snmp on RHEL 9 with SNMPv3, extending the agent with custom checks, and sending encrypted traps to a management system.
Prerequisites
- RHEL 9 server with root or sudo access
- Basic understanding of SNMP concepts (OIDs, MIBs, community strings)
- A monitoring system or NMS (e.g., Zabbix, Nagios, PRTG) to receive SNMP data — or use snmpwalk locally for testing
- Firewall access to UDP port 161 (SNMP agent) and UDP port 162 (SNMP traps)
Step 1 — Install net-snmp
dnf install -y net-snmp net-snmp-utils net-snmp-libs
# Stop the daemon before editing configuration
systemctl stop snmpdThe net-snmp-utils package provides command-line tools including snmpwalk, snmpget, snmptrap, and snmpconf. The main daemon is snmpd.
Step 2 — Create SNMPv3 Users
SNMPv3 user credentials must be created while the daemon is stopped. The net-snmp-create-v3-user helper writes entries to /var/lib/net-snmp/snmpd.conf:
# Create a read-only user with MD5 authentication and DES privacy encryption
net-snmp-create-v3-user -ro -A "authpassword" -a MD5 -X "privpassword" -x DES authUser
# Create a read-write administrative user
net-snmp-create-v3-user -rw -A "adminauthpass" -a SHA -X "adminprivpass" -x AES adminUserPrefer SHA over MD5 and AES over DES for new deployments, as MD5 and DES are considered weak. The example uses both to demonstrate options.
Step 3 — Configure snmpd.conf
Back up and then replace the default configuration at /etc/snmp/snmpd.conf:
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
cat > /etc/snmp/snmpd.conf << 'EOF'
# -------------------------------------------------------
# System information
# -------------------------------------------------------
syslocation "Server Room Rack 3, Building A"
syscontact "[email protected]"
# -------------------------------------------------------
# SNMPv3 access control — disable insecure v1/v2c
# -------------------------------------------------------
# Grant authUser read-only access with authentication + privacy required
rouser authUser priv
# Grant adminUser read-write access
rwuser adminUser priv
# Explicitly reject any community-based (v1/v2c) access
# (No "com2sec" lines = no community string access)
# -------------------------------------------------------
# Listen address — restrict to specific interface
# -------------------------------------------------------
agentAddress udp:161,udp6:[::1]:161
# -------------------------------------------------------
# Views — what the read-only user can see
# -------------------------------------------------------
view all_view included .1
# -------------------------------------------------------
# Disk and load monitoring
# -------------------------------------------------------
disk / 10%
load 12 10 5
# -------------------------------------------------------
# Extend snmpd with a custom shell script
# -------------------------------------------------------
# The OID .1.3.6.1.4.1.8072.1.3.2 is the NET-SNMP-EXTEND-MIB
extend mycheck /bin/bash /usr/local/bin/check_service.sh
# -------------------------------------------------------
# Trap destination for SNMPv3 traps
# -------------------------------------------------------
trapsess -v3 -u authUser -l authPriv -a MD5 -A authpassword -x DES -X privpassword 192.168.1.50
EOFStep 4 — Create a Custom Extension Script
The extend directive runs an external script and exposes its output via SNMP. Create a simple service-check script:
cat > /usr/local/bin/check_service.sh << 'EOF'
#!/bin/bash
# Returns 0 if httpd is running, 1 otherwise
if systemctl is-active --quiet httpd; then
echo "httpd OK"
exit 0
else
echo "httpd DOWN"
exit 1
fi
EOF
chmod +x /usr/local/bin/check_service.shStep 5 — Start the Daemon and Open the Firewall
systemctl enable --now snmpd
systemctl status snmpd
firewall-cmd --permanent --add-service=snmp
firewall-cmd --permanent --add-port=162/udp
firewall-cmd --reloadStep 6 — Test SNMPv3 Queries and Traps
Test the read-only user with a full MIB walk:
# Full SNMPv3 walk with authentication and privacy
snmpwalk -v3 -l authPriv
-u authUser
-a MD5 -A authpassword
-x DES -X privpassword
localhost
# Query a specific OID — system description
snmpget -v3 -l authPriv
-u authUser
-a MD5 -A authpassword
-x DES -X privpassword
localhost sysDescr.0
# Read the custom extension output
snmpwalk -v3 -l authPriv
-u authUser
-a MD5 -A authpassword
-x DES -X privpassword
localhost NET-SNMP-EXTEND-MIB::nsExtendOutput1Line
# Send a test SNMPv3 trap
snmptrap -v3 -l authPriv
-u authUser
-a MD5 -A authpassword
-x DES -X privpassword
192.168.1.50 ''
NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification
netSnmpExampleHeartbeatRate i 60A successful snmpwalk returning system information confirms that SNMPv3 authentication and privacy encryption are working. If you see Authentication failure, double-check the passphrase and ensure the daemon was stopped when the user was created.
Conclusion
You have installed net-snmp on RHEL 9, created SNMPv3 users with authentication and privacy encryption, disabled insecure community-string access, extended the agent with a custom health-check script, and verified queries and trap delivery from the command line. Your SNMP deployment is now enterprise-ready and aligned with current security standards.
Next steps: How to Integrate net-snmp with Zabbix on RHEL 9, How to Configure SNMP Trap Receivers with snmptrapd, and How to Monitor RHEL 9 with Prometheus and Node Exporter.
