Mike Lowrie wrote:
> I have a Compaq T2000 UPS that I use to power my firewall, dmz, and two
> internal machines and I've just started implementing UPS monitoring to
> shut the systems down in the event of an outage instead of relying on
> me, but I've run into a snag.
>
> Reading the documentation, it seems the client has to contact the
> server.
Yes. In order to determine how many slave systems it is powering, the
clients (upsmon) need to be logged in to the server (upsd), so you'll
need to allow connections in that direction as well. After sending the
FSD flag to the slaves, it waits for them to disconnect before powering
down the UPS. Systems not logged in, will not receive this command.
> The problem is I really don't want to open a port form the dmz
> to the internal network where the master UPS machine resides. I have
> data from various clients that I can't have comprised.
What has opening a port to do with that?
> Aside from buying another UPS, is there anything anyone can suggest? Is
> there no way for the server to send commands to the client instead?
No. See above.
> I suppose I could make the UPS master the DMZ machine, but that just
> seems wrong.
You mean if the connection is initiated from internal to DMZ, it's OK
for you? That doesn't make sense to me. Depending on where you place
your UPS, either upsmon or upsd on your internal network are exposed to
your DMZ.
Regardless where you place your UPS, the system it is running on, will
be running upsmon (every system that is powered from it should have one
running). If the UPS is on an internal server, the upsmon in your DMZ
will be a slave and therefor (should) have limited access to the upsd
(and UPS). If someone manages to break into upsmon on the DMZ, access
will therefor be limited, since the configuration file found there
should only give slave access. On the other hand, if you place it on the
DMZ server, the upsmon running there probably will need to have master
access too. In that case, both upsmon and upsd on that server are
vulnerable, with the potential to shutdown your internal systems
(slaves) as well.
You should always run upsd under a dedicated user ID with otherwise
limited (no) access and optionally run it in a chroot'ed environment.
Personally I think the risk of losing power is more of a risk than
someone breaking in through upsd, but that depends on the sensitivity of
the data you're trying to protect. I can't judge that.
> Any suggestions appreciated!
If you're really paranoid about the security of your internal servers,
you should not have any unnecessary connections between DMZ and internal
and therefor should not operate them from the same UPS. Period.
In all other cases, I would suggest to place upsd on an internal server
and poke a hole between internal and DMZ, possibly guarded with rate
limitating and packet filtering in between. The latter is beyond the
scope of this mailinglist however.
Best regards, Arjen