On Tue, 15 Oct 2013 21:56:16 -0400 Charles Lepple <clepple at gmail.com> wrote:> >> What are you trying to optimize? > > > > nothing, but I just did not want another daemon running, or at > > least I do not want a port open that can access the UPS, because I > > will not be using it; it is more of a minor security issue than > > anything. The instructions I read said to set up that port in NUT > > configuration, but I would rather not set that. > > I forgot to mention: by default, NUT listens on localhost. If you are > using Linux, you could add a "-m owner --uid-owner" rule to iptables > to only match the UID for the NUT system user.Thanks; if it listens on localhost by default, that is enough for me, though I recall that is not as secure as listening on 127.0.0.1. I never really used iptables much and am not using it now, so I do not think I will need to do. I do not see why I cannot just turn off the port usage, since I have root access and only ever use NUT from a shell.
On 16/10/13 06:40, David N Melik wrote:> On Tue, 15 Oct 2013 21:56:16 -0400 > Charles Lepple <clepple at gmail.com> wrote: >>>> > >> What are you trying to optimize? >>> > > >>> > > nothing, but I just did not want another daemon running, or at >>> > > least I do not want a port open that can access the UPS, because I >>> > > will not be using it; it is more of a minor security issue than >>> > > anything. The instructions I read said to set up that port in NUT >>> > > configuration, but I would rather not set that. >> > >> > I forgot to mention: by default, NUT listens on localhost. If you are >> > using Linux, you could add a "-m owner --uid-owner" rule to iptables >> > to only match the UID for the NUT system user. > Thanks; if it listens on localhost by default, that is enough for me, > though I recall that is not as secure as listening on 127.0.0.1.127.0.0.1 *is* localhost. -- Chris Boot bootc at bootc.net
On Wed, 16 Oct 2013 08:19:11 +0100 Chris Boot <bootc at bootc.net> wrote:> >> > I forgot to mention: by default, NUT listens on localhost. If > >> > you are using Linux, you could add a "-m owner --uid-owner" rule > >> > to iptables to only match the UID for the NUT system user. > > > > Thanks; if it listens on localhost by default, that is enough for > > me, though I recall that is not as secure as listening on 127.0.0.1. > > 127.0.0.1 *is* localhost.For some programs, either 'localhost' can mean more than '127.0.0.1' to the extent it is suggested to change settings to '127.0.0.1', or that is also done because of what is easier to spoof... but I have even seen someone on IRC with a hostmask like 'username at 127.0.0.1'. I would still like to know if running UPSD on a port is essential, rather than not having a port... crond and atd, for example, do not need ports, so why would UPSD?