Security in UPS Software? 42
Anonymous Coward asks: "Does anyone have experience with UPS software that has an eye towards security? i want an alternative to APC's 'Powerchute for Linux'. I've just discovered that Powerchute opens multiple ports and there are no options to turn this 'feature' off. What is even worse is that APC Support has announced no plans to address the issue. This means that if your firewall is running Powerchute, you might have security issues. Another example of the lax security: Powerchute requests root priveliges on install and has a certain 3-letter
default password that anyone could guess within 5 minutes! Can anyone help with suggestions for alternative software?" Hmmm... I wonder if I accidentally put the default password in the text of this story.
Re:oo ooo me me me me!! (Score:2)
That sound like a combination that an idiot would have on his luggage.
-Peter
Re:oo ooo me me me me!! (Score:1)
Re:oo ooo me me me me!! (Score:1)
- My root password is 1-2-3-4-5.
**********
Isn't that the kind of password an idiot would have on his luggage?
-Ed
Re:oo ooo me me me me!! (Score:2)
GTRacer
- I've changed the password
Re:What do you suggest, Einstein? (Score:1)
Perhaps you also wouldn't mind some silly hackers shutting down the UPS completely, or performing self-tests, or putting it in maintenance bypass, etc., either. All of this can be done from powerchute.
Re:SNMP (Score:3, Insightful)
My advice is to carefully firewall that machine with iptables. Block any network activity on the port that doesn't originate from the localhost. Also, be sure to filter spoofed packets.
Or simply write your own damn software. How hard can it be to snoop the traffic on the serial line that connects to the UPS and reverse engineer the protocol?
Re:Non-APC UPSes (Score:1)
If NUT doesn't support your hardware, you may find others there interested in developing a driver. You also may find it easier to get your UPS manufacturer to contribute a copy of its protocol docs to the project than to you individually.
Re:It's not a standard serial cable (Score:3, Interesting)
It is possible to wire your own cable; depending on your model of UPS and whether your computer asserts DTR on powerup you may not be able to achieve full functionality. Eg, http://www.eng.auburn.edu/users/doug/ups.html
You may also like to google for "APC" "wiring scheme", as quite a few people have tackled rolling their own cables and code for this problem.
A comment about APC... (Score:2)
Re:A comment about APC... (Score:1)
Do not hook up the 'smart' serial cable to the UPS before installing Windows or the client software. Why? During boot, Windows probes the serial ports for serial mice. When the APC UPS sees this probing, it goes into shutdown mode - you have only so long until the UPS shuts down power.
I've also had cases where the APC client did not shutdown SQL or Exchange before pulling the power - and it had enough battery juice to keep going for another 20-30 minutes.
Another case where the so called Engineers of these products need to be strung up. Wankers.
Re:A comment about APC... (Score:2)
Ports are for remote admin? (Score:1)
Someone should set up a test box with this software and then sue APC once they get hacked....
NUT! (Score:5, Informative)
NUT talkes with APC and friends. It's GPL'ed and works.
http://www.exploits.org/nut/ [exploits.org]
firewall the ports (Score:1, Insightful)
Every server should have it's own firewall script anyway that only allows incoming traffic on a limited set of ports.
Use different software (Score:2, Informative)
Well duh.. (Score:1)
Belkin UPS boxes *had* a similar problem (Score:2, Interesting)
The default password access page could easily be bypassed by anyone who knew the directory tree and the IP address of the workstation / UPS.
This was fixed a few weeks after the article came out for some reason.
Take a careful look at the software for ANY Web-controlled devices (including routers and toasters) for ugly surprises before running it on your network.
It's worse (Score:3, Interesting)
Yes, it really is just a f%*kup waiting to happen.
apcupsd (Score:4, Informative)
There is an optional cgi monitoring program that by default will listen on port 7000 I believe.
www.apcupsd.org
I use it and I do not think it opens any other ports except that one and as I said you don't need to have the cgi on. There is a powerchute clone. It is open source so if it does open a port up you can close this.
Oh the only other reason you may have ports is if you have slave machines and a master on one ups and you want the master to shut the slaves down. The slaves and masters all have to open communications so that they can be told to shutdown. I think in apcupsd if you have no slaves then this is not an issue.
Write it yourself (Score:1)
powstatd[-crypt] (Score:2)
Best of all, it's Free Software.
What kind of fucking retard are you? (Score:2)
Firewall the ports you don't want it to use. If your firewall runs upsd, you're a moron, but you can still firewall those ports on whichever interface you want -- that's what a firewall does.
Now, let's ask ourselves: why would a program which can shut down your computer in the event of a power failure, and which listens on a serial port need root permissions to install???
Christ!
- A.P.
UPS software? (Score:1)
Not some lame battery pack.