Joerg Pulz
2009-Feb-26 11:20 UTC
[Nut-upsuser] RFC: Use tcp-wrapper for all connections to upsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, after some experimenting and digging through the code i found no solution how to completely disable access to upsd from specific hosts. In previous versions (before r1233) it was possible to allow or deny access to upsd completely by using ACL, ACCEPT and REJECT entries in upsd.conf. As this functionality was removed and tcp-wrappers support was introduced i thought it would be possible to use some rules in hosts.allow to get the same functionality as before. Unfortunately, thats not the case. Only authenticated commands like SET or INSTCMD are protected by tcp-wrappers, all other commands like GET or LIST can be used from everywhere by everyone which is IMO a regression. For me, the right solution would be to protect all incoming connections by tcp-wrappers. What do others think about this? Kind regards Joerg - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iD8DBQFJpnrkSPOsGF+KA+MRAl5qAJ4giiMOPNrSjAnI3p7Fa0NHSLCSbQCgjJBr kTpLEuSEJJAKdLutFMZxmFE=DBDA -----END PGP SIGNATURE-----
Arjen de Korte
2009-Feb-26 19:41 UTC
[Nut-upsuser] RFC: Use tcp-wrapper for all connections to upsd
Citeren Joerg Pulz <Joerg.Pulz op frm2.tum.de>:> after some experimenting and digging through the code i found no solution > how to completely disable access to upsd from specific hosts.On multi-homed servers the LISTEN directive will deal with this, by only listening on interfaces from which clients are allowed to connect. If this isn't fine grained enough, your firewall will keep out unwanted connections much more efficiently than tcp-wrappers (or the now obsolete ACL mechanism) ever will.> In previous versions (before r1233) it was possible to allow or deny > access to upsd completely by using ACL, ACCEPT and REJECT entries in > upsd.conf. As this functionality was removed and tcp-wrappers support was > introduced i thought it would be possible to use some rules in hosts.allow > to get the same functionality as before. Unfortunately, thats not the > case.This is by design.> Only authenticated commands like SET or INSTCMD are protected by > tcp-wrappers, all other commands like GET or LIST can be used from > everywhere by everyone which is IMO a regression. > > For me, the right solution would be to protect all incoming connections by > tcp-wrappers.Using tcp-wrappers for source address access control alone is a *huge* waste of effort, therefor NUT no longer supports this.> What do others think about this?The tcp-wrappers support in NUT is only meant to deal with the case where you want to allow access for certain users from a specific set of machines (for instance, administrative access). This means we require the username and password, hence this only works for commands that require to be logged into the server. The previous ACL mechanism was too inefficient (in terms of resources) to be really useful in countering attacks on the server. By the time the decision to allow or deny a client access was made, most of the effort that was needed to process the incoming connection would already have been spent, so there really wasn't that much to gain anymore (other than restrict clients to see what is going on on the server). This is the reason we dropped the ACL mechanism. Best regards, Arjen -- Please keep list traffic on the list