Hi:
I found I can setup password for uspmon. but upsc can connect to
any upsd without authentication. although the ups data is not very
confidential, but I would like not to expose it to anyone who can
connect to server.
is there any method to harden upsd? thanks for hint.
Regards,
tbskyd
On Sep 10, 2015, at 10:23 AM, d tbsky <tbskyd at gmail.com> wrote:> > Hi: > I found I can setup password for uspmon. but upsc can connect to > any upsd without authentication. although the ups data is not very > confidential, but I would like not to expose it to anyone who can > connect to server. > > is there any method to harden upsd? thanks for hint.There are a few different approaches. If your version of NUT was build with TCP-wrappers, you can configure NUT to only allow certain clients to connect. However, in most cases where you would consider TCP-wrappers, you would probably be better served with a kernel-level firewall. There is also an option to compile NUT to verify client SSL certificates: http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_upsd_optional_client_authentication -- Charles Lepple clepple at gmail
2015-09-11 10:11 GMT+08:00 Charles Lepple <clepple at gmail.com>:> On Sep 10, 2015, at 10:23 AM, d tbsky <tbskyd at gmail.com> wrote: >> >> Hi: >> I found I can setup password for uspmon. but upsc can connect to >> any upsd without authentication. although the ups data is not very >> confidential, but I would like not to expose it to anyone who can >> connect to server. >> >> is there any method to harden upsd? thanks for hint. > > There are a few different approaches. If your version of NUT was build with TCP-wrappers, you can configure NUT to only allow certain clients to connect. > > However, in most cases where you would consider TCP-wrappers, you would probably be better served with a kernel-level firewall. > > There is also an option to compile NUT to verify client SSL certificates: http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_upsd_optional_client_authentication > > -- > Charles Lepple > clepple at gmailthanks for the hint. I guest ssl certificates is the way to go. although it is over skill for my need (just a password to protect it is enough for me).
2015-09-11 10:11 GMT+08:00 Charles Lepple <clepple at gmail.com>:> > There is also an option to compile NUT to verify client SSL certificates: http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html#_upsd_optional_client_authentication >after reading the nut document about ssl, I am really confused. I only see ssl configuration about "upsd" and "upsmon". how about "upscmd", "upsrw" and "upsc" ? I didn't see configuration for them to use specific ssl certificate. am I miss something? Regards, tbskyd