Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
2011/3/11 Charles Lepple clep...@gmail.com On Mar 10, 2011, at 4:41 PM, Lukas Haase wrote: However, after upgrading from Debian lenny to Debian squeeze (version 2.4.3-1.1squeeze1) I get the messages in syslog: ACL in upsd.conf is no longer supported - switch to LISTEN ACCEPT in upsd.conf is no longer supported - switch to LISTEN REJECT in upsd.conf is no longer supported - switch to LISTEN allowfrom in upsd.users is no longer used Well, I commented out the lines and it works now. However, there is no access restriction anymore! :-( Why have these wonderful features been dropped? Are there at least any alternatives for ACL, ACCEPT, REJECT and allowFrom? The following web page indicates that the Debian squeeze packages of NUT were linked against libwrap, which has had a much longer track record of user-space connection filtering than NUT: http://packages.debian.org/squeeze/nut This information should be in /usr/share/doc/nut/UPGRADING.gz. The NUT mailing list archives have a number of threads where the reasoning for this change has been discussed. You also might want to consider kernel-level firewall rules. That means that you won't be exposed to bugs in either NUT's connection handling, or that of libwrap. a full chapter of the user documentation focus on all the security mechanisms available with NUT, including TCP-Wrappers, Firewall, (SSL) authentication and encryption http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html cheers, Arnaud -- Linux / Unix Expert RD - Eaton - http://powerquality.eaton.com Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/ Debian Developer - http://www.debian.org Free Software Developer - http://arnaud.quette.free.fr/ ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
Am 11.03.2011 10:32, schrieb Arnaud Quette: [...] a full chapter of the user documentation focus on all the security mechanisms available with NUT, including TCP-Wrappers, Firewall, (SSL) authentication and encryption http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html Aah, thanks for the pointer! If I understand correctly, /etc/hosts.deny and .allow should provide the same functionality as allowFrom/ACL/ALLOW/REJECT. Fortunately the Debian package is linked to libwrap0 which should provide this funtionality, should it?! Nevertheless, I do not understand why you use ups in hosts.allow and upsd in hosts.deny? I somehow tried both but it does somehow not work as expected. When I add ups : ALL upsd : ALL to hosts.deny, then no communication should be possible. However, I can access the statistics from another host running upsstats.cgi! I also tested with upsc denchi@localhost - it always works! However, running upsmon I get the following error in syslog: upsmon[20181]: Startup successful upsmon[20184]: Login on UPS [denchi@localhost] failed - got [ERR ACCESS-DENIED] When I add upsd : monmaster@127.0.0.1/32 to hosts.allow it works: upsmon[20213]: Startup successful upsd[19700]: User monmaster@127.0.0.1 logged into UPS [denchi] So it somehow works partially ... What is the explanation for this? Regards, Luke ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Problems with upscmd ACCESS-DENIED
Thanks for clearing that out, I was going to do a battery test because I was afraid that my batteries might be dying but as it turns out one of the batteries had a loose plug, fixed that and the ups is running strong :) Only if the UPS finds that the battery needs to be replaced it will report the 'RB' status (replace battery). If it doesn't, all is well. The Q1 protocol that is used by your UPS doesn't support more verbose messages (and neither does it report runtime or charge capacity) so there is nothing more to report. When using the software supplied from the manufacturer I do see runtime and charge capacity messages. Best regards -Gardar On Fri, Mar 11, 2011 at 7:28 AM, Arjen de Korte nut+us...@de-korte.orgwrote: Citeren Garðar Arnarsson gar...@giraffi.net: Thanks a bunch, that worked like a charm :) Glad to hear that. But now I've got another question... After I run commands (tests) with upscmd, where do I see the results? You don't. Ran a battery test check and it did not give any output. Only if the UPS finds that the battery needs to be replaced it will report the 'RB' status (replace battery). If it doesn't, all is well. The Q1 protocol that is used by your UPS doesn't support more verbose messages (and neither does it report runtime or charge capacity) so there is nothing more to report. Best regards, Arjen -- Please keep list traffic on the list (off-list replies will be rejected) ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser -- Garðar Arnarsson kerfisstjóri Giraffi sf. gar...@giraffi.net http://gardar.giraffi.net ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
Citeren Lukas Haase lukasha...@gmx.at: I somehow tried both but it does somehow not work as expected. When I add ups : ALL upsd : ALL to hosts.deny, then no communication should be possible. However, I can access the statistics from another host running upsstats.cgi! I also tested with upsc denchi@localhost - it always works! The documentation says that this tcp-wrappers is only used for commands that require to be logged in to the UPS. Since upsc and upsstats don't require a login, this will be passed through. There is not much point in trying to prevent this (see the mailinglist archives). Best regards, Arjen -- Please keep list traffic on the list (off-list replies will be rejected) ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser