Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
2011/3/11 Charles Lepple clep...@gmail.com On Mar 10, 2011, at 4:41 PM, Lukas Haase wrote: However, after upgrading from Debian lenny to Debian squeeze (version 2.4.3-1.1squeeze1) I get the messages in syslog: ACL in upsd.conf is no longer supported - switch to LISTEN ACCEPT in upsd.conf is no longer supported - switch to LISTEN REJECT in upsd.conf is no longer supported - switch to LISTEN allowfrom in upsd.users is no longer used Well, I commented out the lines and it works now. However, there is no access restriction anymore! :-( Why have these wonderful features been dropped? Are there at least any alternatives for ACL, ACCEPT, REJECT and allowFrom? The following web page indicates that the Debian squeeze packages of NUT were linked against libwrap, which has had a much longer track record of user-space connection filtering than NUT: http://packages.debian.org/squeeze/nut This information should be in /usr/share/doc/nut/UPGRADING.gz. The NUT mailing list archives have a number of threads where the reasoning for this change has been discussed. You also might want to consider kernel-level firewall rules. That means that you won't be exposed to bugs in either NUT's connection handling, or that of libwrap. a full chapter of the user documentation focus on all the security mechanisms available with NUT, including TCP-Wrappers, Firewall, (SSL) authentication and encryption http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html cheers, Arnaud -- Linux / Unix Expert RD - Eaton - http://powerquality.eaton.com Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/ Debian Developer - http://www.debian.org Free Software Developer - http://arnaud.quette.free.fr/ ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
Am 11.03.2011 10:32, schrieb Arnaud Quette: [...] a full chapter of the user documentation focus on all the security mechanisms available with NUT, including TCP-Wrappers, Firewall, (SSL) authentication and encryption http://www.networkupstools.org/docs/user-manual.chunked/ar01s09.html Aah, thanks for the pointer! If I understand correctly, /etc/hosts.deny and .allow should provide the same functionality as allowFrom/ACL/ALLOW/REJECT. Fortunately the Debian package is linked to libwrap0 which should provide this funtionality, should it?! Nevertheless, I do not understand why you use ups in hosts.allow and upsd in hosts.deny? I somehow tried both but it does somehow not work as expected. When I add ups : ALL upsd : ALL to hosts.deny, then no communication should be possible. However, I can access the statistics from another host running upsstats.cgi! I also tested with upsc denchi@localhost - it always works! However, running upsmon I get the following error in syslog: upsmon[20181]: Startup successful upsmon[20184]: Login on UPS [denchi@localhost] failed - got [ERR ACCESS-DENIED] When I add upsd : monmaster@127.0.0.1/32 to hosts.allow it works: upsmon[20213]: Startup successful upsd[19700]: User monmaster@127.0.0.1 logged into UPS [denchi] So it somehow works partially ... What is the explanation for this? Regards, Luke ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
Citeren Lukas Haase lukasha...@gmx.at: I somehow tried both but it does somehow not work as expected. When I add ups : ALL upsd : ALL to hosts.deny, then no communication should be possible. However, I can access the statistics from another host running upsstats.cgi! I also tested with upsc denchi@localhost - it always works! The documentation says that this tcp-wrappers is only used for commands that require to be logged in to the UPS. Since upsc and upsstats don't require a login, this will be passed through. There is not much point in trying to prevent this (see the mailinglist archives). Best regards, Arjen -- Please keep list traffic on the list (off-list replies will be rejected) ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Access restriction on Upgrade Debian lenny - Debian squeeze
On Mar 10, 2011, at 4:41 PM, Lukas Haase wrote: However, after upgrading from Debian lenny to Debian squeeze (version 2.4.3-1.1squeeze1) I get the messages in syslog: ACL in upsd.conf is no longer supported - switch to LISTEN ACCEPT in upsd.conf is no longer supported - switch to LISTEN REJECT in upsd.conf is no longer supported - switch to LISTEN allowfrom in upsd.users is no longer used Well, I commented out the lines and it works now. However, there is no access restriction anymore! :-( Why have these wonderful features been dropped? Are there at least any alternatives for ACL, ACCEPT, REJECT and allowFrom? The following web page indicates that the Debian squeeze packages of NUT were linked against libwrap, which has had a much longer track record of user-space connection filtering than NUT: http://packages.debian.org/squeeze/nut This information should be in /usr/share/doc/nut/UPGRADING.gz. The NUT mailing list archives have a number of threads where the reasoning for this change has been discussed. You also might want to consider kernel-level firewall rules. That means that you won't be exposed to bugs in either NUT's connection handling, or that of libwrap. ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser